SBOM URLs: Guidance on URL usage

[tschmidtb51]

The TC received a comment via its mailing list:

When considering how to reference SBOMs within CSAF documents, the question arises regarding https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#31335-full-product-name-type---product-identification-helper---sbom-urls :
Should the URL point to a generic location where the SBOM can be found (such as the release page https://github.com/juice-shop/juice-shop/releases/tag/v16.0.0), or should it be specific to a particular version (https://github.com/juice-shop/juice-shop/releases/download/v16.0.0/juice-shop-16.0.0_node18_linux_x64.tgz)? While CSAF documents can include version information, it would be beneficial to provide guidance on the preferred approach within the standard itself.

As a CSAF user, I might want to download the referenced SBOM automatically. In that case, the path within the container (e.g. zip/tgz) needs to be provided. For example with an anchor URL:
https://github.com/juice-shop/juice-shop/releases/download/v16.0.0/juice-shop-16.0.0_node18_linux_x64.tgz#/juice-shop/sbom.json

While the answer to the first question is clear (the URL should point to the direct location of the SBOM and not a generic download page), we need to discuss:
a) whether we follow the suggested format for links into archives and
b) how to provide that guidance (e.g. FAQ question, special guidance, only in a next version of the standard, etc.)

For a) we need to consider, whether and how other formats are handling these things.

[wurstbrot]

Hi ,

https://github.com/juice-shop/juice-shop/releases/download/v16.0.0/juice-shop-16.0.0_node18_linux_x64.tgz#/juice-shop/sbom.json is something I came up with. Better might be to let the SBOM URL point to the archive, e.g. https://github.com/juice-shop/juice-shop/releases/download/v16.0.0/juice-shop-16.0.0_node18_linux_x64.tgz and and extra optional attribute, e.g. pathInArchive=/juice-shop/sbom.json .