italvi
commented
4 months ago Agree, however, I would like to debate about not adding the bom.metadata.component to the list, as we should at least try to know our top-level dependencies. Your opinion?
Closed mmarseu closed 3 months ago
italvi
commented
4 months ago Agree, however, I would like to debate about not adding the bom.metadata.component to the list, as we should at least try to know our top-level dependencies. Your opinion?
mmarseu
commented
4 months ago @italvi Seems reasonable to me. In any case, this feature is a result of internal requirements and you're the person to set those requirements. So I don't get a say 😉
italvi
commented
4 months ago But I'm the guy sitting in the ivory tower, so the view of an user is always valuable 😉.
So: Let's change incomplete to unknown and not add the metadata.component to the list.
As of now, the amend command creates a
compositionsentry with.aggregate == "incomplete".The stated goal of this is to explicitly disclaim any completeness of the provided information in the interest of revealing known unknowns. Shouldn't the value then not rather be
unknown, which expresses exactly that? "Incomplete" means: this SBOM is known to be incomplete, which it might not actually be. "Unknown" only says: we don't guarantee completeness, which seems to be exactly our intent.