Open tschmidtb51 opened 4 months ago
Also, we need to check which schemes have be marked authoritative by IANA - other can't use the //
according to RFC 3986 Section 3.3.
An alternative to URL for SBOMs is also an extra attribute, e.g. container image
(e.g. bkimminich/juice-shop:v16.0.0
) and an attribute path=/juice-shop/sbom.json
.
Like that, CSAF will not violate RFC 3986 (I didn't check if it would violate) by using a widely adapted but not standard conform way.
While https://github.com/oasis-tcs/csaf/issues/689#issuecomment-1949216870 would be an addition for a URL, this is an alternative to a URL.
From my point of view, this will make it easier in the software implementation in case SBOMs should be fetched automatically.
The TC received a comment via its mailing list:
The TC needs to decide a) whether we follow the suggested format for links into containers and b) how to provide that guidance (e.g. FAQ question, special guidance, only in a next version of the standard, etc.)
For a) we need to consider, whether and how other formats are handling these things.