-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SBOM semantics and missing properties #146
Comments
Hi @shoeffner You might be interested in this discussion #143. Some folks from cyclonedx are providing some guidance and feedback there, we are definitely not experts in this, and we don't have the bandwidth for it, so here we are relying mostly on community and other experts guidance. |
Oh I didn't see that one, thanks. While this is related (with respect to the author field, so I'll chime in on the other issue), I will keep this open as this is also about additional data. |
Just for information, the cyclonedx-python-lib >=5.0.0 is breaking Conan2's SBOM extension on some conan packages because they have a strict validation regarding the number of licenses. I encountered the issue with the openjdk conanfile.py which declares 2 licences: If I edit the file to keep only one licence, this gets rid of the error. I tried to locate in which version of the cyclonedx-python-lib this check was added but this is present in the minimal version required, 5.0.0 and the previous 4.2.3 version doesn't have the same python modules names so the import raises an exception. Certainly experts will be needed to understand how to do a proper fix because the specification is full of jargon. |
I'd would find the CPE information especially useful. You might take a look at how syft generates the CPE from the the processed conan package information e.g. here: |
We currently use a custom generator to build SBOMs but are looking into switching to this extension.
I noticed that several fields are missing (e.g., the cpe, the license texts, etc.) and some have different semantics – for example, as far as I understand, the "author" of a component (or, in newer SBOM spec versions, "authors"; maybe also manufacturers?) would be the person/organization who wrote the source code, created the model, etc., while in conan the "author" is the author of the recipe. Maybe the conan recipe author would be fitting for "supplier" field, or . The author of the BOM, however, should always be Conan (and not the author of the recipe).
I have to admit that I am still unsure about the difference between author and manufacturer (especially since "author" is for "manual" processes and "manufacturer" for automated processes...), but that's maybe not that important right now.
sbom
which then containscopyright
,cpe
, and a couple of other entries which we need; plus, we always extract license texts into a LICENSE file which we place next to the recipe so we can even include that in our SBOM generation)The text was updated successfully, but these errors were encountered: