cyclonedx-cli icon indicating copy to clipboard operation
cyclonedx-cli copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Add support for Separation of Concern

Open flemminglau opened this issue 3 years ago • 4 comments

When an SBOM describes an application (A) which is built on top of a complex component (B) for which a separate SBOM is available, there is a need to ensure that the the A SBOM does not include inventory from B. Instead A should refer to B as a contained assembly. Or potentially at a later stage the two should be merged to describe the full set of dependencies for A.

In this way it is clear who is responsible for which parts of the A inventory and any concerns (vulnerability or otherwise) can be addressed by the appropriate parties.

It is (from what we can determine) not possible in the A SBOM generation step to know what parts of the inventory may be covered by some other B SBOM.

So it might be a way forward to add to cyclonedx-cli the ability to "subtract" one SBOM from another. (I.e. to process an SBOM (A) in a way that excludes all inventory covered by an SBOM (B).)

flemminglau avatar Mar 10 '22 09:03 flemminglau

Looking at this again it seems that the cyclonedx-cli approach may not be useful.

As we cannot assume that an SBOM contains dependency information it cannot be assumed that the fact that a component is used in SBOM B means that it is not also used in SBOM A (separately). Which means that we cannot simply remove it from SBOM A. (E.g. a vulnerability on the component would apply to both A and B separately)

It seems this functionality can only be implemented by a component like the cyclonedx mvn plugin.

flemminglau avatar Mar 11 '22 12:03 flemminglau

Looking at the description of Assemblies in the CycloneDX specification I am wondering why the merge functionality in the cyclonedx-cli does not at least have an option to define one SBOM as a component of another. It seems currently the only option it to merge everything into one big pile of components whereby information about the origin of each item is lost.
This may be what you want but it may also not be.

flemminglau avatar Mar 21 '22 15:03 flemminglau

@flemminglau is the hierarchical merge not what you're after? What's missing?

robertlagrant avatar Mar 09 '23 09:03 robertlagrant

@flemminglau is the hierarchical merge not what you're after? What's missing?

You may be right. In that case what's missing is me understanding what a hierarchical merge is. It is not exactly explained in the README.

flemminglau avatar Mar 09 '23 11:03 flemminglau