search

CycloneDX / specification

OWASP CycloneDX is a full-stack Bill of Materials (BOM) standard that provides advanced supply chain capabilities for cyber risk reduction. SBOM, SaaSBOM, HBOM, AI/ML-BOM, CBOM, OBOM, MBOM, VDR, and VEX
https://cyclonedx.org/
Apache License 2.0
337 stars 57 forks source link

Request: Add component release/publish date to CycloneDX #472

Closed topiga closed 3 weeks ago

topiga commented 3 weeks ago

Hey everyone ! We heavily use the CycloneDX format for our SBOM and vulnerability reports when applicable at my workplace. Something we always add in our report are the release date of the component. It is quite useful since it permits us to see what/when an administrator has updated their system or when a group of developers has updated their dependencies. It also permits us to see the contrary, at a glance. I think it would be a nice feature to have on the spec. I know there's a field in components->releaseNote->timestamp, but it has to have a type of release, so we don't use it.

I see it being implemented either with the sustainability fields of #400, or add a new type of releaseNote: "unknown". It is also possible to simply have a publishedDate/releaseDate/publishedAt/releasedAt field in a component (I think publishedDate would be better for the spec, since it's more general-purpose).

What do you all think ?

jkowalleck commented 3 weeks ago

maybe use the CycloneDX property named cdx:lifecycle:milestone:generalAvailability. see https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/lifecycle.md

topiga commented 3 weeks ago

Wow !! I didn't even know this repo existed for that ! That fixes my problem. I'll change my script to add the values with this property now. Should it be on a doc on the CycloneDX website ? EDIT: lifecycle properties were added two weeks ago, that's why I missed it, btw I already use the ISO 8601 format, so I almost don't have to change anything ^^

jkowalleck commented 3 weeks ago

The repo itself is already mentioned in the spec docs and guides here and there, when it comes to CycloneDX properties.

EDIT: lifecycle properties were added two weeks ago, that's why I missed it, [...]

The cdx:lifecycle namespace is pretty new, yes. It is a standardized solution for people who think they might need it to represent certain use cases.

At CycloneDX, we currently have the understanding that such lifecycle information is non-static and should not be included in a static BOM document, see the discussions in #400. But we understand the idea and the wish to communicate such information.

EDIT: [...] so I almost don't have to change anything ^^

Fantastic!