Add Steward to the CycloneDX specficiation

[Pizza-Ria]

Add Steward to the CycloneDX Specification

This is a suggestion to add a field in the specification to indicate if there is a steward (see, EU-CRA - Article 24 and https://linuxfoundation.eu/cyber-resilience-act for context) for the project. Ultimately, collection of this field (especially for automted scanners) may depend on an ecosystem adoption of a steward.md file within a repo so this field can be easily identified. There is a parallel issue filed with the SPDX standard at https://github.com/spdx/spdx-3-model/issues/855.

Thank you!

[stevespringett]

Thanks for the suggestion and references. Is a BOM spec the correct place to identify the steward of a project or package? I would think the Common Lifecycle Enumeration (CLE) would be a better place as the steward may change over time or different stewards may exist for different major versions of a project.

Refer to https://docs.google.com/document/d/1sRMS1IX0r7ZkYthDR0VY1bYyvp_6K_xw4sR1vZwla8E/edit for details on CLE.

[Pizza-Ria]

Thanks for the suggestion, Steve. Different stewards do present a challenge. I had in mind the idea that a steward.md file in the repo could be updated from time to time and when an SBOM is produced (hopefully) scanners would pick up the current steward listed in that file. But, you are correct that it doesn't solve for a steward that changes post-distribution.

[jkowalleck]

@Pizza-Ria where does this idea of a steward.md file come from? is there any standard/draft for this, where we can read about it, and is it machine-readable?

[Pizza-Ria]

@jkowalleck The idea stemmed from other metadata markdown documents that I regularly utilize in open source repos like Notice.md. It doesn't currently exists (to my knowledge) but it would be an easy way for a person/entity to indicate that intent. If one no longer wishes to claim that responsiblity then they could file a pull request to be removed.