[FEATURE]: Introduction of vulnerability type

[thompson-tomo]

Describe the feature

I want to be able to describe not just security vulnerabilities in my software but also functional vulnerabilities ie defects and have this information available for release notes.

Possible solutions

Introduction of an optional field for vulnerabilities -> vulnerabilityType which is an enumeration of security, functional & presentational

Alternatives

Use custom properties

Additional context

I am attempting to produce release notes using a SBOM hence wishing to be able to Populate the SBOM with defects recorded in our issue tracker (jira).

[stevespringett]

Thanks for the suggestion. Perhaps this capability should be incorporated into the wider TM-BOM concepts that we are working on. We will be supporting threats, weaknesses, controls, etc in CycloneDX v1.7. When we get to controls, that may involve various types of "issues", such as enhancement requests or defects.

Can you expand upon what it is that you're looking for?

What specific use cases are you looking for CycloneDX v1.7 to achieve?

[thompson-tomo]

Hi @stevespringett

My end goal is to be able to take an SBOM which might from a single source (dependency track) or a merged SBOM using information the Dependency Track SBOM and a SBOM which is created by a tool/script i maintain which is filled with issues in a particular version of my application based upon data we store in Jira.

The 3 key aspects i want to have in my release notes are:

• New Features (resolves array) of issues -- type = enhancement -- ID = Jira key -- Name = Jira title -- Description = either description or release note field -- source.name = jira -- source.url = weblink
• Fixes (resolves array) of issues -- type = defect -- ID = Jira key -- Name = Jira title -- Description = either description or release note field -- source.name = jira -- source.url = weblink
• Defects (vulnerability array) of vulnerabilities -- vulnerabilityType = functional -- ID = Jira key -- Description = title from Jira -- detail = description from Jira -- workaround = workaround from jira -- proofOfConcept.reproductionSteps = steps defined in jira to repriduce -- source.name = jira -- source.url = weblink

By using SBOM's i could even include Security enhancements and security vulnerabilities. and if wanted to take it a step further i could even list all the components as part of a technical release notes as opposed to customer friendly release notes.

The biggest gain i see is by eliminating the need to manually produce the list of issues and at the same time potentially make my release notes even more comprehensive/detailed by using the data which is available from the SBOM.