scancode.io icon indicating copy to clipboard operation
scancode.io copied to clipboard
verified publisher icon aboutcode-org

Use annotation and properties in SBOMs for additional details?

Open tsteenbe opened this issue 3 months ago • 0 comments

ScanCode.io will generate a project result file as JSON after each run that includes project details like input sources, settings, package and dependencies found. Other SBOM tools such as grype and trivy are able to store this project result details within the SBOMs they generated using CycloneDX properties and SPDX annotations to store.

It might be a good idea for ScanCode.io to do the same, not yet sure which level of details should be capture in the SBOM.

Example from Trivy below

      "purl": "pkg:apk/alpine/[email protected]?arch=x86_64&distro=3.17.0",
      "properties": [
        {
          "name": "aquasecurity:trivy:LayerDiffID",
          "value": "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf"
        },
        {
          "name": "aquasecurity:trivy:LayerDigest",
          "value": "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715"
        },
        {
          "name": "aquasecurity:trivy:PkgID",
          "value": "[email protected]"
        },
        {
          "name": "aquasecurity:trivy:PkgType",
          "value": "alpine"
        },
        {
          "name": "aquasecurity:trivy:SrcName",
          "value": "alpine-baselayout"
        },
        {
          "name": "aquasecurity:trivy:SrcVersion",
          "value": "3.4.0-r0"
        }

tsteenbe avatar Sep 22 '25 08:09 tsteenbe