transparency-exchange-api icon indicating copy to clipboard operation
transparency-exchange-api copied to clipboard
Published 2 months ago verified publisher icon CycloneDX

TEA: How do we indicate type of artefact

Open oej opened this issue 1 year ago • 5 comments

In a TEA collection we have a number of documents, artefacts, for a given product version. How do we encode type of document?

  • Media types a la E-mail/HTTP?
  • Our own ENUM that will have to be managed

What extra attributes are needed?

  • Language
  • Version of document type - CycloneDX 1.5/1.6/2.2 etc
  • Encoding - plain, base64

oej avatar Jul 31 '24 12:07 oej

If we look at CycloneDX documents alone, they can have:

  • two different MIME types: application/vnd.cyclonedx+xml and application/vnd.cyclonedx+json,
  • many different functions: xBOM, VDR, VEX, etc.

I think we should use both:

  • a MIME type to indicate the format for the document. Additional characteristics like the human language can always be passed as attributes. E.g. application/vnd.cyclonedx+xml; lang=en.
  • a generic category that specifies the type of data in the document. For this we could reuse the externalReferences.type enum already contained in the CycloneDX specification.

By keeping the same enum as the one used by CycloneDX, it would be easier to convert a web of interconnected CycloneDX documents into a collection.

ppkarwasz avatar Aug 01 '24 06:08 ppkarwasz

Sounds like a good plan. Does SPDX have a similar list like externalReferences?

oej avatar Aug 01 '24 07:08 oej

SPDX has a RelationshipType enumeration.

ppkarwasz avatar Aug 01 '24 07:08 ppkarwasz

That is a bit different but very interesting. It's a link attribute really. Maybe we can use something like that in the bundle.

oej avatar Aug 01 '24 07:08 oej

Added CycloneDX external ref to pull request.

oej avatar Aug 01 '24 13:08 oej