cyclonedx-cocoapods icon indicating copy to clipboard operation
cyclonedx-cocoapods copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Add 'evidence' element for the components

Open macblazer opened this issue 1 year ago • 0 comments

As an SBOM consumer I would like to have the evidence element added as components/component/evidence (XPath-like syntax) especially for the identity element so that I can make better decisions regarding the contents of SBOMs created with cyclonedx-cocoapods.

This project uses the "manifest-analysis" technique which has confidence from 0.4 to 0.6 (based on this guide).

Here is a JSON example from a Java bom to make it more concrete:

      "evidence": {
        "identity": {
          "field": "purl",
          "confidence": 0.8,
          "methods": [
            {
              "technique": "binary-analysis",
              "confidence": 0.8,
              "value": "/tmp/mvn-deps-fN9MGL/us/springett/alpine-common/2.2.4-SNAPSHOT/alpine-common-2.2.4-SNAPSHOT.jar"
            }
          ]
        },

macblazer avatar Feb 13 '24 19:02 macblazer