specification icon indicating copy to clipboard operation
specification copied to clipboard
Published 1 month ago verified publisher icon CycloneDX

Proposal to add "bom-ref" to "tool" (data object) schema to allow link to evidence and other data

Open mrutkows opened this issue 3 years ago • 1 comments

As tools it is noted, many tools may contribute data to the "final" published SBOM. Currently, there is no means to associate "evidence" (including other concluded data such as from "license" determination) with the tool that produced it. It also appears that the taxonomy for v1.5 will include a robust set if tool types (e.g., SAST, DAST, Fuzzing, etc.) and many more tools that all produce evidence along the CI/CD process.

These use cases lead me to suggest here that we add the existing field "bom-ref" to the "tool" objects (schema properties) as we use elsewhere to allow linking of such data to the tool that produced them.

mrutkows avatar Jul 27 '22 16:07 mrutkows

based on your proposal, the following change was implemented:

with schema 1.5 tool data model became deprecated. from schema 1.5 on, tools is either a set of component data models or a set of service data models, both have the capability of having a bom-ref for linkage.

Therefore, i would suggest to close this request as "done".

jkowalleck avatar Jul 12 '23 14:07 jkowalleck