Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Proposal: Support for BOM-Link #252

Open
prabhu opened this issue Oct 5, 2023 · 0 comments
Open

Proposal: Support for BOM-Link #252

prabhu opened this issue Oct 5, 2023 · 0 comments

Comments

@prabhu
Copy link

prabhu commented Oct 5, 2023
edited

We currently do not have an authoritative way to establish a link between a purl and a bom document. Due to the differences in generator tools, the same package (identified by a purl) could have a varying number of components in the generated Bill of Materials (BOM) document.

The proposal is to use/standardize a query parameter to specify the BOM-Link of a package identified by purl.

https://cyclonedx.org/capabilities/bomlink/

Example 1: An SBOM where the given package is the parent component

pkg:npm/%40cyclonedx/cdxgen@9.8.7?bomlink=urn%3Acdx%3Af08a6ccd-4dce-4759-bd84-c626675d60a7%2F1

f08a6ccd-4dce-4759-bd84-c626675d60a7 - serialNumber of the BOM
1 - version of the BOM

Example 2: A BOM where the given package is not the parent component

pkg:npm/%40cyclonedx/cdxgen@9.8.7?bomlink=urn%3Acdx%3Af08a6ccd-4dce-4759-bd84-c626675d60a8%2F1%2FcomponentA

f08a6ccd-4dce-4759-bd84-c626675d60a8 - serialNumber of the BOM
1 - version of the BOM
componentA - BOM Ref. This could also be a purl, in which case it has to be encoded.

2A: BOM Ref is an encoded purl

pkg:npm/%40cyclonedx/cdxgen@9.8.7?bomlink=urn%3Acdx%3Af08a6ccd-4dce-4759-bd84-c626675d60a8%2F1%2Fpkg%3Anpm%2F%2540cyclonedx%2Fcdxgen%409.8.7

Future Extension

bomlocator parameter could be used to specify the url (or the BOM-Link!) to an external service that can be used to locate BOM documents.

Hypothetical Example 1: ghcr support for storing BOM artefacts under ghcr.io/bom/{bomlink}

bomlocator is a full encoded url

pkg:npm/%40cyclonedx/cdxgen@9.8.7?bomlocator=ghcr.io%2Fbom%2Furn%3Acdx%3Af08a6ccd-4dce-4759-bd84-c626675d60a7%2F1

Hypothetical Example 2: ghcr support for BOM becomes well-known

bomlocator is a simple alias with bomlink

pkg:npm/%40cyclonedx/cdxgen@9.8.7?bomlink=urn%3Acdx%3Af08a6ccd-4dce-4759-bd84-c626675d60a7%2F1&bomlocator=ghcr.io

Hypothetical Example 3: The same document is mirrored in multiple sources to avoid downtime

bomlocator is a list of aliases

pkg:npm/%40cyclonedx/cdxgen@9.8.7?bomlink=urn%3Acdx%3Af08a6ccd-4dce-4759-bd84-c626675d60a7%2F1&bomlocator=ghcr.io&bomlocator=quay.io

Hypothetical Example 4: ghcr has a separate locator service for free and enterprise customers.

bomlocator uses a BOM-Link

pkg:npm/%40cyclonedx/cdxgen@9.8.7?bomlink=urn%3Acdx%3Af08a6ccd-4dce-4759-bd84-c626675d60b7%2F1&bomlocator=urn%3Acdx%3Af08a6ccd-4dce-4759-bd84-c626675d60c8%2F1%2FghcrServiceA
  • The downstream tool would first retrieve the SaaSBOM document for urn%3Acdx%3Af08a6ccd-4dce-4759-bd84-c626675d60c8%2F1%2FghcrServiceA.
  • Identify the correct BOM Locator to use
  • Invoke the BOM Locator service with the BOM-Link belonging to the document
  • Profit!
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@prabhu