[FEATURE] Ensure bom-ref for Component and Vulnerability have a (unique) value
#141
Comments
… not supplied ensuring they have a unique value #141 Signed-off-by: Paul Horton <[email protected]>
|
some related thoughts: https://github.com/CycloneDX/cyclonedx-php-library/blob/master/docs/dev/decisions/BomDependencyDataModel.md PHP implementation that assignes bom-refs and makes then unique on render time: https://github.com/CycloneDX/cyclonedx-php-library/blob/master/src/Core/Serialize/BomRefDiscriminator.php |
|
@madpah can't we use PURL string as the bom-ref for component? the specification do that in the examples. |
* feat: `bom-ref` for Component and Vulnerability default to a UUID if not supplied ensuring they have a unique value #141 Signed-off-by: Paul Horton <[email protected]> * doc: updated documentation to reflect change Signed-off-by: Paul Horton <[email protected]> * patched other tests to support UUID for bom-ref Signed-off-by: Paul Horton <[email protected]> * better syntax Signed-off-by: Paul Horton <[email protected]>
@damiencarol - we can't use a PURL in most circumstances, but the model provided for by this library allows that to be the case. This PR was a precursor to a full fix in |
|
will test it as soon as it's ready. |
* feat: `bom-ref` for Component and Vulnerability default to a UUID if not supplied ensuring they have a unique value #141 Signed-off-by: Paul Horton <[email protected]> * doc: updated documentation to reflect change Signed-off-by: Paul Horton <[email protected]> * patched other tests to support UUID for bom-ref Signed-off-by: Paul Horton <[email protected]> * better syntax Signed-off-by: Paul Horton <[email protected]>
* WIP but a lil hand up for @madpah Signed-off-by: Jeffry Hesse <[email protected]> * chore: added missing license header Signed-off-by: Paul Horton <[email protected]> * No default values for required fields * Add Services to BOM * Typo fix * aligned classes with standards, commented out Signature work for now, added first tests for Services Signed-off-by: Paul Horton <[email protected]> * addressed standards Signed-off-by: Paul Horton <[email protected]> * 1.2.0 Automatically generated by python-semantic-release Signed-off-by: Paul Horton <[email protected]> * feat: `bom-ref` for Component and Vulnerability default to a UUID (#142) * feat: `bom-ref` for Component and Vulnerability default to a UUID if not supplied ensuring they have a unique value #141 Signed-off-by: Paul Horton <[email protected]> * doc: updated documentation to reflect change Signed-off-by: Paul Horton <[email protected]> * patched other tests to support UUID for bom-ref Signed-off-by: Paul Horton <[email protected]> * better syntax Signed-off-by: Paul Horton <[email protected]> * 1.3.0 Automatically generated by python-semantic-release Signed-off-by: Paul Horton <[email protected]> * WIP but a lil hand up for @madpah Signed-off-by: Jeffry Hesse <[email protected]> Signed-off-by: Paul Horton <[email protected]> * chore: added missing license header Signed-off-by: Paul Horton <[email protected]> * aligned classes with standards, commented out Signature work for now, added first tests for Services Signed-off-by: Paul Horton <[email protected]> * removed signature from this branch Signed-off-by: Paul Horton <[email protected]> * Add Services to BOM * Typo fix * addressed standards Signed-off-by: Paul Horton <[email protected]> * resolved typing issues from merge Signed-off-by: Paul Horton <[email protected]> * added a bunch more tests for JSON output Signed-off-by: Paul Horton <[email protected]> Co-authored-by: Paul Horton <[email protected]> Co-authored-by: github-actions <[email protected]>
Currently our models rely on the consumer to specifiy/provide a value for a Component or Vulnerability's
bom-ref.In previous versions of this library, the
purlwas automatically used for this purpose (for Component) but this was removed as a Component may not have apurl.As pointed out in sonatype-nexus-community/jake#91, for Vulnerabilities to be able to specify which Components are affected (in 1.4), Components must have a
bom-ref- see here.It's worth noting that
bom-refis optional within the schema for both Component and Vulnerability.This Feature will look to assign a UUID as the
bom-refif a value has not been provided by the consumer.The text was updated successfully, but these errors were encountered: