SBOM URLs: Guidance on SBOMs inside containers

[tschmidtb51]

The TC received a comment via its mailing list:

Additionally, I'd like to propose a standardized format for referencing SBOMs within container images. Given that containers utilizes the double colon (:) in the copy command, a similar syntax could be adopted for SBOM references:

docker://<image>:<path in image> Â# Or with the tag
docker://<image>:tag:<path in image>

For example, in the case of the Juice Shop image, the SBOM could be referenced as follows:

docker://bkimminich/juice-shop:v16.0.0:/juice-shop/sbom.json

This format provides a clear and consistent method for accessing SBOMs within container images. An alternative would be "podman://" or a container technology independentÂ"container://" which I didn't see beforehand.

The TC needs to decide a) whether we follow the suggested format for links into containers and b) how to provide that guidance (e.g. FAQ question, special guidance, only in a next version of the standard, etc.)

For a) we need to consider, whether and how other formats are handling these things.

[tschmidtb51]

Also, we need to check which schemes have be marked authoritative by IANA - other can't use the // according to RFC 3986 Section 3.3.

[wurstbrot]

An alternative to URL for SBOMs is also an extra attribute, e.g. container image (e.g. bkimminich/juice-shop:v16.0.0) and an attribute path=/juice-shop/sbom.json. Like that, CSAF will not violate RFC 3986 (I didn't check if it would violate) by using a widely adapted but not standard conform way.

While https://github.com/oasis-tcs/csaf/issues/689#issuecomment-1949216870 would be an addition for a URL, this is an alternative to a URL.

From my point of view, this will make it easier in the software implementation in case SBOMs should be fetched automatically.