component's reference
#313
Comments
This was referenced Feb 12, 2023
Merged
jkowalleck
added a commit
that referenced
this issue
Mar 11, 2023
* BREAKING changes * Removed support for PHP `<8.0` ([#91] via [#250]) * Removed support for PHP `<8.1` (via [#250]) * Removed support for Composer `<2.3` ([#153] via [#250]) * CLI * Removed deprecated composer command `make-bom`, call `composer CycloneDX:make-sbom` instead ([#293] via [#309]) * Changed option `output-file` to default to `-` now, which causes to print to STDOUT (via [#250]) * Removed option `exclude-dev` in favour of new option `omit` (via [#250]) * Removed option `exclude-plugins` in favour of new option `omit` (via [#250]) * Removed option `no-version-normalization` ([#102] via [#250]) * SBOM results * Components' version is no longer artificially normalized ([#102] via [#250]) * Dependencies * Requires `cyclonedx/cyclonedx-library:^2.0`, was `:^1.4.2` ([#128] via [#250]) * Changed * Evidence analysis prefers actually installed packages over lock file ([#122] via [#250]) * Root component's versions is unset, if version detection fails ([#154] via [#250]) * Composer packages of type "composer-installer" are treated as composer plugins (via [#250]) * Added * Evidence collection knows actually installed packages ([#122] via [#250]) * SBOM results * Support for CycloneDX Spec v1.4 (via [#250]) * might have `serialnumber` populated ([#279] via [#250]) * might have `metadata.timestamp` populated ([#112] via [#250]) * might have `metadata.tools[].tool.externalReferences` populated ([#171] via [#250]) * might have `components[].component.author` populated ([#261] via [#250]) * might have `components[].component.properties` populated according to [`cdx:composer` Namespace Taxonomy](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/composer.md) (via [#250]) * CLI * New option `omit` (via [#250]) * New switch `validate` to override `no-validate` (via [#250]) * New switches `output-reproducible` and `no-output-reproducible` (via [#250]) * Misc * Added demo and reproducible continuous integration test "devReq" that is dedicated to composer's `require-dev` feature (via [#250]) * Reworked demo setups to be more global-install like (via [#250]) [#91]: #91 [#102]: #102 [#112]: #112 [#122]: #122 [#128]: #128 [#153]: #153 [#154]: #154 [#171]: #171 [#250]: #250 [#261]: #261 [#279]: #279 [#293]: #293 [#309]: #309 [#313]: #313 --------- Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Currently, the
componentknows hashes that are based on composer's distribution hashes.Nowadays, they are not used much. Instead, repository references are used - git node ids and so on.
These references should be in the BOM result.
see an example from some
composer.lockfile{ "name": "cyclonedx/cyclonedx-library", "version": "dev-master", "source": { "type": "git", "url": "https://github.com/CycloneDX/cyclonedx-php-library.git", "reference": "a2a854e03dbdeed5905ef7789a685b062941f5d2" }, "dist": { "type": "zip", "url": "https://api.github.com/repos/CycloneDX/cyclonedx-php-library/zipball/a2a854e03dbdeed5905ef7789a685b062941f5d2", "reference": "a2a854e03dbdeed5905ef7789a685b062941f5d2", "shasum": "" }, }Describe the solution you'd like
componenthas a property for the source reference .componenthas a property for the dist reference .register a property for https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/composer.md
Describe alternatives you've considered
none
Additional context
Add any other context or screenshots about the feature request here.
status:
cdx:composer:packagesource/dist refenrence cyclonedx-property-taxonomy#44The text was updated successfully, but these errors were encountered: