specification icon indicating copy to clipboard operation
specification copied to clipboard
Published 1 month ago verified publisher icon CycloneDX

Add BOM-Link to component schema

Open prabhu opened this issue 1 year ago • 1 comments

Currently, a component has a bom-ref, while the BOM has a serialNumber. Growing number of ASOC and Vulnerability Management platforms aggregate several components from across BOMs into a single database.

Identifying a component based on a deep BOM-Link becomes a three step process in such environments (Retrieve the BOM, parse, and identify the referred component). Further, the regex for a bomlink is quite broad ^urn:cdx:[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}/[1-9][0-9]*#.+$

The proposal is to add a new property bom-link to a component level. Generator tools can set this value to be serialNumber/bom-ref. This would simplify lookups and joins since the entirety of the BOM document need not be loaded.

prabhu avatar Apr 24 '24 08:04 prabhu

Thinking out aloud, other entities such as services, compositions, vulnerabilities, annotations etc would also benefit from explicit bom-link

prabhu avatar Apr 24 '24 08:04 prabhu