CycloneDX
Support for evidence in dependencies
Generator tools use a data source, such as lock files or package manager command's output, to construct the dependency relationships. Depending on the environment, the version of build tools, and the maturity of the particular package management ecosystem, this dependency data might be imprecise, non-reproducible, or entirely wrong.
Many SCA tools and processes use the dependency tree as a factor to prioritize vulnerabilities. Therefore, documenting the confidence and methods used to derive the relationship is essential to avoid incorrect prioritization.
Proposed values
evidence.identity.field.purl - could be the purl of the component identified by ref in the dependencies array.
identity.confidence - The value of 1 must be offered only for known, mature and reproducible ecosystems such as gradle with locks, nuget, golang, etc. For ecosystems such as python, where the tree is dependent on the build environment, this value could be less than 1.
methods.technique could have an additional value "build-tool-output" to indicate that the tree was constructed from build tools output. For example, cdxgen uses this technique for gradle, scala sbt etc.
Reusing existing schema
evidence.occurrences and evidence.callstack is also applicable for dependency trees. Certain ecosystems, such as golang and npm, make the source code for all dependencies available, making it technically possible to identify the occurrences for the tree and plot a call stack. We could, therefore, reuse the existing evidence schema for dependencies.
Can you provide a prototype of what the resulting SBOM would look like with the proposed changes?
