transparency-exchange-api icon indicating copy to clipboard operation
transparency-exchange-api copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

Add BOM Meta Endpoint

Open stevespringett opened this issue 2 years ago • 5 comments

The idea behind a BOM Meta endpoint is to provide format, hash, and external signature information.

The BOM Meta retrieval would work similar to the existing BOM retrieval, but would return metadata rather than the BOM itself.

bom-meta-url = system-url "/" bom-identifier
bom-identifier    = segment
                        ; an identifier that uniquely identifies a BOM
                        ; NOTE: MUST be appropriately URI encoded
                        ; segment as defined in RFC3986

As an example, here's a snippet response for what I'm thinking about being returned:

{
  "spec": {
    "format": "CycloneDX",
    "version": "1.4",
    "mime-type": "application/vnd.cyclonedx+json",
  },
  "published": "2022-03-07T15:50+00Z",
  "checksum": [
    { "alg": "SHA-256", "value": "CF80CD8..." },
    { "alg": "SHA-512", "value": "CF80CD8..." },
    { "alg": "SHA3-256", "value": "CF80CD8..." },
    { "alg": "SHA3-512", "value": "CF80CD8..." },
    { "alg": "BLAKE3", "value": "CF80CD8..." }
  ],
  "signature": [
  
  ]
}

I think alg should be an enum with only those supported algorithms.

As for signatures, it would be ideal if we could support external signature files, signature services (e.g sigstore), and external inline.

stevespringett avatar Apr 08 '22 15:04 stevespringett

If this is acceptable, I'll create a PR that adds this to the spec and we can figure out the details.

stevespringett avatar Apr 08 '22 15:04 stevespringett

Should we include group, name and version of the software the BOM is for as well?

coderpatros avatar May 02 '22 21:05 coderpatros

Should we include group, name and version of the software the BOM is for as well?

I don't think so. CycloneDX has these things. SPDX does not. IMO, I think we keep it strictly metadata about the BOM, not its contents.

stevespringett avatar May 12 '22 03:05 stevespringett

This is much like HEAD in HTTP. I like this idea.

oej avatar Aug 20 '24 06:08 oej

This is much like HEAD in HTTP. I like this idea.

HEAD has no body returned. rfc9110 9.3.2 TL;DR a HEAD method is intended to be the same headers returned, with no body, for the corresponding GET. This offers a lean way to assists in an assessment for whether or not a full GET is required to be called next.

0x73746F66 avatar Sep 19 '24 12:09 0x73746F66

I understand the concept in this ticket, but it is not clear in this ticket why such an endpoint is required and in what scenarios this provides value.

@stevespringett, @oej - is there anything that can be added as a reference or explanation (for myself and the wider community)?

madpah avatar Nov 11 '24 10:11 madpah

Note that this ticket is pre-TEA, it does not refer to current work.

oej avatar Nov 11 '24 11:11 oej

Closing this as it does not relate to current work

oej avatar Feb 12 '25 14:02 oej