spdx-maven-plugin icon indicating copy to clipboard operation
spdx-maven-plugin copied to clipboard
verified publisher icon spdx

Should we have a separate "source" SBOM and "build" SBOM

Open goneall opened this issue 2 years ago • 5 comments

Based on the Open SSF SBOM Naming recommendations (draft at this point), there should be separate SBOM's for the binary artifacts and the source artifacts.

We currently include the source information and the build information in the same SBOM as the source.

One thought is to have 3 SBOM - consolidated, source only, build only.

goneall avatar Sep 12 '23 15:09 goneall

This would be nice, i have to delete the source type currently to get the build part only.

joerg1985 avatar Feb 21 '25 09:02 joerg1985

How about we add a parameter sbomType with the following options:

  • source - a source only SBOM
  • build - a build only SBOM
  • consolidated - (default) both source and build in the same SBOM - same as current functionality
  • both - create 2 separate SBOMs appending -source and -build to the file names

@joerg1985 - Let me know any thoughts

goneall avatar Feb 21 '25 19:02 goneall

It looks like it would be much easier to just have 3 options:

  • build
  • consolidated
  • source

We could add the "both" or "separate" option later if there is interest.

goneall avatar Feb 24 '25 05:02 goneall

@goneall I don't think both is needed, you could just add a second execution to your pom to get both files.

joerg1985 avatar Feb 24 '25 08:02 joerg1985

@joerg1985 Excellent point - I'll add a PR with the 3 options build, consolidated, source.

goneall avatar Feb 24 '25 08:02 goneall