You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As per this CycloneDX example, it is valid to have a CycloneDX document that includes just VEX data and through use of CycloneDX BomLink link to Components held in a separate CycloneDX document.
This mechanism allows for real-world Use Cases as the composition of a piece of software is fixed at a given point in time, whereas the known Vulnerabilities (or a Supplier's response to known Vulnerabilities) changes over time.
The adage: "Software ages like milk not wine" applies.
At present in cyclonedx-python-lib, the data model is structured such that Vulnerabilities are added to Component instances. The serialisers in this library also assume that Vulnerability data is only present if there are Components too.
This Feature should:
Allow for Vulnerability (VEX) data to be modelled without modelling Components fully
Update cyclonedx.model.bom.Bom to have a SortedSet of Vulnerability
Remove SortedSet of Vulnerability in cyclonedx.model.component.Component, but look to retain the existing method for adding a Vulnerability that relates to a Component to minimise breaking changes
As per this CycloneDX example, it is valid to have a CycloneDX document that includes just VEX data and through use of CycloneDX BomLink link to Components held in a separate CycloneDX document.
This mechanism allows for real-world Use Cases as the composition of a piece of software is fixed at a given point in time, whereas the known Vulnerabilities (or a Supplier's response to known Vulnerabilities) changes over time.
The adage: "Software ages like milk not wine" applies.
At present in
cyclonedx-python-lib
, the data model is structured such thatVulnerabilities
are added toComponent
instances. The serialisers in this library also assume that Vulnerability data is only present if there are Components too.This Feature should:
bom-ref
's that utilise CycloneDX BomLinkFYI @jkowalleck
The text was updated successfully, but these errors were encountered: