oej
commented
4 months ago Do you mean source of product updates (like new version of software) or patches (code changes needed) ? Since this is part of CycloneDX we just need to see how we can separate different CycloneDX boms - if needed. Or do I get it wrong?
TEA codifies how to fetch a BOM/VEX/VDR/Attestation, could we add a feature to also point (i.e. "URI") to the source of updates/patches? As it currently stands TEA has already done about 99% of the work to provide an update/patch location, but doesn't currently do that. Also in CDX there is "Pedigree" commits and patches, which provides very useful information about the changes in an update/patch version after it has been installed, if we could add similar structures to TEA it would allow the end user the ability to understand the changes in an update/patch before performing updating or patching of the product.
In a Health Sector Coordinating Council working group on performing updates & patches on medical devices in the field, the hospital knowing what has changed before installing the update is one of the most asked for capabilities.