Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Should enrichment modify or add to the tools noted in the SBOM #11

Open
garethr opened this issue Jun 9, 2023 · 3 comments
Open

Should enrichment modify or add to the tools noted in the SBOM #11

garethr opened this issue Jun 9, 2023 · 3 comments
Labels
enhancement New feature or request

Comments

@garethr
Copy link
Collaborator

garethr commented Jun 9, 2023

Good question from @rnjudge https://twitter.com/rosejudge5/status/1666879138739916800

how is SBOM creation metadata handled when the SBOM is changed? Is the document creation metadata changed to reflect the new creator?

Warrants investigation. Parlay is adding to, rather than recreating, the original content. You ideally still want to know what tool generated the list of packages, but (separately) knowing that some of the information came from Parlay would be useful.

@garethr garethr added the enhancement New feature or request label Jun 9, 2023
@mcombuechen
Copy link
Collaborator

Both CycloneDX and SPDX should support extending an already available list of creation tools, and add Parlay as an additional entry while maintaining any other tools that might have come before it.

@rnjudge
Copy link

rnjudge commented Jun 30, 2023

The trouble with adding a creator instance to the original SPDX document is that the timestamp of when Parlay enriches the SBOM and when the SBOM is actually created will be different (in 2.3 at least) and simply adding a creator would imply that those timestamps were the same. The original SBOM should not be modified.

You think could also use an amends relationship from the original document to point to another version of the SBOM that has been enriched. I think you could also enhance the SBOM using annotations of some sort?. to Adding @goneall here because he will have a better idea.

Note that in 3.0 this will be much easier because of the profiles being added. In SPDX 3, you can put enhancement information into a new file which could reference the original one.

@goneall
Copy link
Contributor

goneall commented Jun 30, 2023

Agree with @rnjudge comments above - making amendments to the original SBOM would be the preferred approach. That would allow clear separation of the creation information.

There are a couple of ways you could do this in SPDX:

  • create a complete copy of the SBOM + the amended information then have a single amends relationship back to the original document
  • create a skinny non-SBOM with just the changed elements and have an amends relationship back to each modified element

I personally like the first approach - seems simpler and in the spirit of this utility.

You can also use Annotations - however, they are unstructured and may not be easily machine understood by the receiver.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants