smlambert
commented
2 weeks ago Noting that the CycloneDX Bom.java constructor populates a default value of a version into the SBOM at present, version 1. Referencing https://cyclonedx.org/guides/OWASP_CycloneDX-Authoritative-Guide-to-SBOM-en.pdf,
The bom element has properties for serialNumber and version. Together these two properties form the identity of a BOM.
Serial Number Every BOM generated should have a unique serial number, even if the contents of the BOM have not changed over time. If specified, the serial number must conform to RFC-4122. The use of serial numbers is recommended. Version Whenever an existing BOM is modified, either manually or through automated processes, the version of the BOM should be incremented by 1. When a system is presented with multiple BOMs with identical serial numbers, the system should use the most recent version of the BOM. The default version is '1'.
At present, our SBOMs are generated with version 1, but lack a serial number.
"bomFormat" : "CycloneDX",
"specVersion" : "1.5",
"version" : 1,
MikeLaptev
Currently we do not have versioning of the Temurin SBOM content, so if we change a value or property name, or format, etc, we currently don't increment a version.
Investigation needs to be done to understand how we might version the Temurin SBOM, when we would increment it and how it fits in with CycloneDX versioning features?
We would probably version the current schema as version 0.9, as we have some work to tidy, verify and ensure what we have is complete enough for a 1.0 version.
In a separate activity, we will do a full review of the structure and format of the Temurin SBOM, but consciously editing and managing a version field to the SBOM will be useful ahead of other changes.
Related: https://github.com/adoptium/temurin-build/blob/master/cyclonedx-lib/src/temurin/sbom/TemurinGenSBOM.java