Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Change component type so that it's not required or add a new type of unassigned #466

Open
pjdowner opened this issue May 14, 2024 · 2 comments
Milestone

Comments

@pjdowner
Copy link

I'm currently working on generating SBOM for a yocto based embedded distribution and I'd like to use dependency-track. I have a semi-working solution to get my SBOM into dependency track but it's not perfect and so I've been looking at generating validated cycloneDX formatted json with the new solution I'm working on.

However after experimenting with cyclonedx-python-lib and it's validation functions I've discovered that component type is a required field:
https://cyclonedx.org/docs/1.6/json/#components_items_type

Yocto has a lot of packages (over 100 just in the initramfs, never mind the root fs) that I need to cover and I can't find a way to easily extract a reasonable type for each package. Is there an explanation for why this is required when it doesn't appear to be used by applications like dependency track? Could the required status be dropped?

If there is a specific reason to keep this as a required field, could an extra type of 'unassigned' or similar be added to the spec?

@stevespringett
Copy link
Member

Per the docs:

For software components, classify as application if no more specific appropriate classification is available or cannot be determined for the component.

So if you're unable to determine the type of component, simply use application.

But yes, we can revisit this requirement for the v1.7 release.

@stevespringett stevespringett added this to the 1.7 milestone May 14, 2024
@pjdowner
Copy link
Author

Oh that's great, thanks can't believe I missed that bit about using application as the default appropriate classification... Thanks for adding it to the 1.7 milestone for review though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants