Feature Request: new ComponentType "runtime"

[dcentrica]

At as v1.4 the only values accepted by components.type are as follows:

• "application"
• "framework"
• "library"
• "container"
• "operating-system"
• "device"
• "firmware"
• "file"

Having reviewed the definitions of each, none fits the bill to describe an application's runtime e.g. "JVM", "Python", "php-fpm" etc. These are programming language runtimes, and not "frameworks" or "libraries".

My suggestion is to add a new components.type of "runtime".

[stevespringett]

CycloneDX v1.5 adds a few more component type. One of the new types is platform which is defined as

A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms

[jkowalleck]

JVM interprets byte code.
Python and php-fpm interprets (script) code.

PS: nowadays, some are actually just-in-time compilers, not pure interpreters.

[jkowalleck]

@dcentrica what about using component.type value "platform" ?
We might adjust the documentation, to make clear that is serves the desired purpose. What would have helped you?

- A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.
+ A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode, or just-in-time compilers, or low-code/no-code application platforms.

[jkowalleck]

@stevespringett if we wanted to extend the docs and meaning of an enum, do we need to consult the @CycloneDX/industry-working-group ?

PS: got an answer offline: nope, not needed.

[jkowalleck]

see also

• [FEATURE]: Add additional component types for Manufacturing/Formulation/ML artifacts #563
• Change component type so that it's not required or add a new type of unassigned #466