-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Capture and report CDX SBOM header information from a load_sbom pipeline #1253
Comments
Signed-off-by: tdruez <tdruez@nexb.com>
Implementation in progress at #1266
The Project extra_data contains the following, @mjherzog could you confirm this would work for you?
|
This looks good to me - thank you. One concern is keeping up with the relevant spec changes for this data, especially for CDX where there seem to be a faster rate of change for this data than SPDX. |
@mjherzog That should not be a major problem. The current implementation is based on simple lists of the first-level properties that we want to extract. |
Signed-off-by: tdruez <tdruez@nexb.com>
Merged and deployed. |
Somewhat like a Docker image, an SBOM has important "header" information that should be displayed in SCIO as Project Data.
For CycloneDX v1.5 JSON format the sections/fields are:
Some of the data like metadata/licenses could be voluminous, but we rarely see metadata/licenses data in recent practice.
We should also add this feature for SPDX Documents - https://spdx.github.io/spdx-spec/v2.3/document-creation-information/ - but that is a lower priority.
The text was updated successfully, but these errors were encountered: