Should enrichment modify or add to the tools noted in the SBOM #11
Comments
|
Both CycloneDX and SPDX should support extending an already available list of creation tools, and add Parlay as an additional entry while maintaining any other tools that might have come before it. |
|
The trouble with adding a creator instance to the original SPDX document is that the timestamp of when Parlay enriches the SBOM and when the SBOM is actually created will be different (in 2.3 at least) and simply adding a creator would imply that those timestamps were the same. The original SBOM should not be modified. You think could also use an amends relationship from the original document to point to another version of the SBOM that has been enriched. I think you could also enhance the SBOM using annotations of some sort?. to Adding @goneall here because he will have a better idea. Note that in 3.0 this will be much easier because of the profiles being added. In SPDX 3, you can put enhancement information into a new file which could reference the original one. |
|
Agree with @rnjudge comments above - making amendments to the original SBOM would be the preferred approach. That would allow clear separation of the creation information. There are a couple of ways you could do this in SPDX:
I personally like the first approach - seems simpler and in the spirit of this utility. You can also use Annotations - however, they are unstructured and may not be easily machine understood by the receiver. |
Good question from @rnjudge https://twitter.com/rosejudge5/status/1666879138739916800
Warrants investigation. Parlay is adding to, rather than recreating, the original content. You ideally still want to know what tool generated the list of packages, but (separately) knowing that some of the information came from Parlay would be useful.
The text was updated successfully, but these errors were encountered: