update sbom_with_creator_and_version rule for cdx version >= 1.5

interlynk-io / sbomqs

SBOM quality score - Quality metrics for your sboms

Apache License 2.0

158 stars 20 forks source link

update sbom_with_creator_and_version rule for cdx version >= 1.5 #284

Closed viveksahu26 closed 1 month ago

viveksahu26 commented 2 months ago

close: https://github.com/interlynk-io/sbomqs/issues/264

update sbom_with_creator_and_version rule for cdx whose spec version >= 1.5.

riteshnoronha commented 2 months ago

@viveksahu26 this change is incorrect. Tools/Components & services are all avaliable since version 1.5 and versions before 1.5 support only Tools.

We should not use cyclonedx versions here but check if the feature is present or not e.g Populate our internal tools array as folllows

if tools->components present then add to our array
if tools->services present then add to our array
if tools->tools present then add to our array

viveksahu26 commented 1 month ago

Yeah got it. Would correct it. Basically, earlier I got bit confused about services that how services can provides tool name, it's version and all. But later read that service is more generalized in terms of tool, Whereas, tool is one of the services. Apart from that, Can you provide CycloneDX SBOMs examples having version 1.5 or 1.6 for testing and all.