Enhancement request: Product as part of another product

[ghsa-retrieval]

Is your enhancement request related to a problem? Please describe. It can happen that a software is both released as a standalone product A and simultaeously as part of a bigger product B. Ideally the package dependencies would not have to be added and reviewed for the product B a second time, but rather product A can be included in product B.

What are the benefits of the requested enhancement?

• No need to update entries twice (or more) on multiple products that use product A
• No risk of inconsistent data in products that make use of product A
• Review steps only have to be done once for product A
• Ability to create hierarchy of products

Describe the solution you would like

• Option 1: Components pretty much cover the hierarchy and nesting, but do not allow to import SBOMs like products
  • Implement SBOM import for components, much like with products
  • User can then add the software as a component
    • For product A we would simply add the component to the inventory and nothing else (standalone)
    • For product B we would add the component among other components and packages to the inventory (bigger product)
  • Export of the SBOM for a product with components must properly include everything that the components depend on (I haven't tested that yet, may already be the case)
• Option 2: Add a nesting and hierarchy feature to products (much like with components)
  • This might make less sense, because then there is even less distinction between components, though products would still be for software that we produce, while components are those that we consume

Additional notes I have asked about this on gitter and was directed to the issue tracker. I may have misunderstandings what components should be used for so apologies if the suggestion goes against the intended design. I'm also not entirely sure why the package associated with components seem to be handled differently with regard to permissions when compared to products. Components seem to be fairly locked off and only editable by the data admins.

[pombredanne]

@ghsa-retrieval this is a very clear report. I like your option 1 very much. And this has been the purpose of components all the way. Some historical perspective is that we used to have only products and components before we got packages. @DennisClark feedback welcomed!

[DennisClark]

@ghsa-retrieval thanks very much for the excellent suggestion. I agree with @pombredanne that your option 1 is the best way to go. The only challenge will be fitting this enhancement into our current roadmap -- updates on that to follow.

[mjherzog]

@ghsa-retrieval Re: " I'm also not entirely sure why the package associated with components seem to be handled differently with regard to permissions when compared to products. Components seem to be fairly locked off and only editable by the data admins." The Django admin screens are the primary mode for editing Products, Packages or Components so there is not much difference there. Access to specific functions is controlled by user Groups which are configurable. Products have some additional access controls to support use cases with multiple independent product teams vs the use case for components or packages as more general purposes datasets.