specification
specification copied to clipboard
CycloneDX
Vulnerability analysis using Dependency Tracker
Since, dependency tracker uses the tags: cpe, swid or purl to find the vulnerabilities from NVD database.
CycloneDX should make existence of any of such tags mandatory for cycloneDX xml files.
If these tags are not mandatory then fetching data from NVD becomes a challenge.
Vulnerability management is the primary use case and the reason why the world is talking about SBOM. However, license and other non-security use cases are important and CycloneDX needs to support those.
We could see that in CycloneDX Specification 1.4, "CPE" Deprecation has been removed and normalized. Hope in the next version of specification, at least one of properties among "PARL" and "SWID" made mandatory.
CycloneDX is capable of more than just SBOM use cases. Some components simply won't have a CPE, SWID or PURL. Certainly, if these identifiers are known they should be included. But I don't think we can enforce it in the spec itself.
i do not want to have any of these values mandatory.
Creating CycloneDX files for inventory should not require identifiers for cross-referencing. If these values were mandatory, how would I have these values for in-house developed components and if i do not have these values i would just enter bogus?
I think the upcoming BOM Maturity Model from OWASP SCVS will be helpful to you. In that, you'll be able to make whatever fields you want mandatory by creating profiles. Several developers are already waiting for SCVS to release the maturity model so they can develop SBOM Profiles and policy enforcement tools specific to this purpose.
Closing issue