cyclonedx-go icon indicating copy to clipboard operation
cyclonedx-go copied to clipboard
verified publisher icon CycloneDX

Add Component Type Unknown to handle some accidental cases

Open VictorHuu opened this issue 7 months ago • 4 comments

Why is it essential ?

some SBOM Generator like Syft only support identifying limited number of Component Types like File,Image ,&c currently. But there are many types like framework beyond the capacity of Syft. So for accuracy , an unknown type is required. Don't worry it will compromise the standard of Cyclone DX , since we have to tackle some weird edge cases when it comes to the implementation.

Fixes #229

VictorHuu avatar Apr 30 '25 08:04 VictorHuu

@nscuro Sorry to bother you , could you review the PR if you are available ? I know there are a lot of more important repos for you to maintain, so I am wondering whether this repo is out of regular maintenance. Arguments about the PR is quite sufficient.

VictorHuu avatar Apr 30 '25 08:04 VictorHuu

@VictorHuu I think this should be brought up with the specification committee first: https://github.com/CycloneDX/specification/issues

"unknown" is not part of the official enum of component types for CycloneDX. Mind you, this is the Go implementation of the schema, but there are others (JavaScript, .NET, ...) that would need a similar addition once this would make it into the spec.

mcombuechen avatar Apr 30 '25 08:04 mcombuechen

@mcombuechen Hi, I've attempted to file an issue in the spec, but it was rejected.Here's the thing: this repo is just a Cyclone DX utility written in Go for an SBOM not for a Go project( the very project should be cyclonedx-gomod). So there's no loss of generalisation. Anyway, modifying the spec is way more costly.

VictorHuu avatar Apr 30 '25 10:04 VictorHuu

https://github.com/CycloneDX/specification/issues/627#issuecomment-2841618709

nscuro avatar Apr 30 '25 11:04 nscuro