Add BOM Meta Endpoint #2
Labels
enhancement
New feature or request
Comments
|
If this is acceptable, I'll create a PR that adds this to the spec and we can figure out the details. |
|
Should we include group, name and version of the software the BOM is for as well? |
I don't think so. CycloneDX has these things. SPDX does not. IMO, I think we keep it strictly metadata about the BOM, not its contents. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The idea behind a BOM Meta endpoint is to provide format, hash, and external signature information.
The BOM Meta retrieval would work similar to the existing BOM retrieval, but would return metadata rather than the BOM itself.
As an example, here's a snippet response for what I'm thinking about being returned:
{ "spec": { "format": "CycloneDX", "version": "1.4", "mime-type": "application/vnd.cyclonedx+json", }, "published": "2022-03-07T15:50+00Z", "checksum": [ { "alg": "SHA-256", "value": "CF80CD8..." }, { "alg": "SHA-512", "value": "CF80CD8..." }, { "alg": "SHA3-256", "value": "CF80CD8..." }, { "alg": "SHA3-512", "value": "CF80CD8..." }, { "alg": "BLAKE3", "value": "CF80CD8..." } ], "signature": [ ] }I think
algshould be an enum with only those supported algorithms.As for signatures, it would be ideal if we could support external signature files, signature services (e.g sigstore), and external inline.
The text was updated successfully, but these errors were encountered: