feat: support for external components with version-ranges #586
Conversation
...s/src/test/resources/1.7/informal-invalid-component-versionRange-non-extraneous-explicit.xml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Looks good to me, although I think we should clarify better, when isExtraneous is used.
For example I don't think isExtraneous makes sense in $.metadata.component even if versionRange is used.
Also, in a CycloneDX VDR/VEX document, isExtraneous does not make sense.
jkowalleck
force-pushed
the
feat/extraneous-component
branch
from
3e1eb53 to
7a52828
Compare
Co-authored-by: Piotr P. Karwasz <piotr@github.copernik.eu> Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
|
This is great! I guess it would be good to make explicit that you should not include hashes for extraneous components? Also, since different versions may have different transitive dependencies, does that mean no transitive dependencies should be listed for extraneous components? Or is it OK to keep listing those (as long as they're also marked extraneous) and leave it up to the downstream consumer of the sbom to drop no-longer-relevant extraneous components as needed? |
I thought about dropping transitive dependencies too, but some usages require to have at least a draft of what transitive dependencies could appear. For example we could link a CycloneDX SBOM to a CycloneDX VEX. In order to know, which CVEs published by dependencies will be analyzed in the VEX, we need to provide an approximate list of transitive dependencies. While commercial manufacturers might be required to answer questions like "Is my Java application vulnerable to this Go CVE", OSS projects will certainly not answer questions beyond the dependencies listed in the SBOM. |
|
regarding transitive dependencies, hashes and such. nope. hashes CAN be used, even for extraneous dependencies. all is a MAY/CAN -- not a MUST. |
|
thank you all for the early review and the interesting questions and remarks. 👍 If they were technical, then they are about to be addressed in this PR. more questions and remarks are very welcome - better here in the PR or in the issue #321 than else where. |
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck
changed the title
jkowalleck
force-pushed
the
feat/extraneous-component
branch
from
80de26a to
24b028d
Compare
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck
force-pushed
the
feat/extraneous-component
branch
from
24b028d to
345c32c
Compare
Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
jkowalleck
force-pushed
the
feat/extraneous-component
branch
from
345c32c to
21f8f42
Compare
|
for the record: I found that the word "external" is better fitting for what this is all about. therefore, I propose to use "external". adapted in this PR |
|
refined the wordings based on your feedback. |
jkowalleck
changed the title
jkowalleck
changed the title
|
@stevespringett this one is ready for review |
|
RFC notice sent. Public RFC period ends March 18, 2025 |
jkowalleck
added
the
RFC notice sent
As discussed in ticket #321, this PR adds the following abilities:
fixes #321
Note
this one supersedes #326 <-- read there for more background and previous discussions
implementing with
components, because the objects referenced/required are actually used at runtime and therefore are considered a "component".Sketch/proposal for #321 -- WORK IN PROGRESS
no asserts - this would require XSD1.1 which is not broadly implemented, yet.
Note
ALL FEEDBACK IS WELCOME! Yes, everything.
but some might not be resolved in this very PR, but in the authoritative guides. See #586 (comment)