specification icon indicating copy to clipboard operation
specification copied to clipboard
Published 1 month ago verified publisher icon CycloneDX

Add support for granular lifecycles

Open prabhu opened this issue 2 years ago • 2 comments

SBoM generation tools (like cdxgen) might encounter artifacts already built along with source code and package manager manifests. In such cases, indicating the lifecycle phases associated with the given component(s) or their parent component(s) would be nice.

In 1.5, lifecycles can be an array of values or name-description objects. Similar to component evidence, lifecycles could optionally accept bom-link, bom-ref, purl, and cpe to make it granular. In addition, we can also add evidencemethods so that the generator can justify how and why it thinks the components or the bom belong to a particular phase. Understanding the tool's assumptions is useful since the definition of build and post-build differs based on the organization and team.

prabhu avatar Aug 13 '23 11:08 prabhu

This needs to be flushed out. Can you provide some mockups on what your thoughts are. Moving to v1.7 to give us time to flush this out.

stevespringett avatar Feb 05 '24 22:02 stevespringett

Thanks @stevespringett. I am unable to find time, so moving to 1.7 would help.

prabhu avatar Feb 06 '24 10:02 prabhu