Add externalReferences field to SBOM component

externalReferences of type distribution are now available to be a part of a component SBOM. This specific type is used for recording the download url and can be used to perform gating on the SBOM by tools that consume it. Docs: https://cyclonedx.org/docs/1.6/json/#components_items_externalReferences Signed-off-by: Jan Koscielniak <[email protected]>
containerbuildsystem · Oct 29, 2024 · 29819b5 · 29819b5
1 parent 12543fc
commit 29819b5
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/cachi2/core/models/sbom.py b/cachi2/core/models/sbom.py
@@ -21,6 +21,13 @@ class Property(pydantic.BaseModel):
     value: str
 
 
+class ExternalReference(pydantic.BaseModel):
+    """An ExternalReference inside an SBOM component."""
+
+    url: str
+    type: Literal["distribution"] = "distribution"
+
+
 FOUND_BY_CACHI2_PROPERTY: Property = Property(name="cachi2:found_by", value="cachi2")
 
 
@@ -35,7 +42,10 @@ class Component(pydantic.BaseModel):
     purl: str
     version: Optional[str] = None
     properties: list[Property] = pydantic.Field(default_factory=list, validate_default=True)
-    type: Literal["library"] = "library"
+    type: Literal["library", "file"] = "library"
+    external_references: Optional[list[ExternalReference]] = pydantic.Field(
+        serialization_alias="externalReferences", default=None
+    )
 
     def key(self) -> str:
         """Uniquely identifies a package.