[feature] Set component's group/namespace in SBOM

[georgij-sudo]

What is your suggestion?

Hi! I would like for conan to be able to set component's group (vendor, organization, etc.) and PURL namespace, when generating SBOM 🥺

My goal is to separate internal components from external ones (which is also packages created by me), when it comes to Dependency Track analysis. Internal components will be excluded from vulnerability scans and version checks that rely on external systems. Point is, that I can mark components as internal by specifying either component name regex or component namespace regex and I find the latter option the most convenient. In this scenario, I need to set the "group" field in each SBOM component.

Also, I suggest specifying namespace in PURL to reduce number of false positives when fuzzy CPE matching is enabled. For example, I create a package with CryptoPro CSP for my own repo. I need to set PURL to either pkg:conan/cryptopro/[email protected] or pkg:conan/[email protected] to find 1 relevant vulnerability. The latter option is less precise as it can fuzzy match with CPE like this: cpe:2.3:a:*:csp_something:*:*:*:*:*:*:*:*

What is your thoughts? Would it fit in conan? Thank you for your time!

Have you read the CONTRIBUTING guide?

• [x] I've read the CONTRIBUTING guide

[ErniGH]

Thank you very much for your issue. We're already looking into enabling further customization of the SBOM, I think being able to add a namespace to the PURL could be a good idea 😄 Let me discuss it with the team