[DRAFT] extraneous components and version range constraints #326
Conversation
jkowalleck
changed the title
jkowalleck
force-pushed
the
1.6-extraneous-components-draft1
branch
from
1f02490 to
68f3340
Compare
jkowalleck
force-pushed
the
1.6-extraneous-components-draft1
branch
from
8c24415 to
04251bf
Compare
|
Thank you for putting this together. Few questions. How is The versionRange is interesting. I like it, but it will not work in all situations. For example, if a extraneous component is Windows and the range is 2000, XP, Vista, 7, 8, 10, and 11. I think we'll need another way to specify possible versions. |
a component could be optional AND extraneous at the same time. current I guess my confusion is caused by the fact that the
Actually, Windows XP/Vista/etc... they all have version numbers and buildID. VERS supports complete SemVer spec -- and therefore knows the format I could add examples for popular operating systems and runtime-engines to |
I don't think that's necessary. I'm just wondering how many people would understand that marketing names have actual version numbers. |
related to CycloneDX#321 CycloneDX#321 Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
jkowalleck
force-pushed
the
1.6-extraneous-components-draft1
branch
from
04251bf to
9b1c166
Compare
Signed-off-by: Jan Kowalleck <[email protected]>
Signed-off-by: Jan Kowalleck <[email protected]>
| @@ -913,6 +919,12 @@ | |||
| "description": "Specifies the scope of the component. If scope is not specified, 'required' scope SHOULD be assumed by the consumer of the BOM.", | |||
| "default": "required" | |||
| }, | |||
| "isExtraneous": { | |||
There was a problem hiding this comment.
If the environment provides a component, then it is best to capture it under formulation instead of having such boolean flags.
There was a problem hiding this comment.
why should it be under "formulation"?
form,ulation is build-time, while this domain here may also be runtime.
There was a problem hiding this comment.
Wouldn't such runtime-only components not captured in an OBOM?
There was a problem hiding this comment.
how would you make it clear in an obom, that the build result descibed in an SBOM needs windows 11 patch 23H2 on runtime? Or that it requires python 3.11 or later as an interpreter?
I dont know ... this is why this PR exists, to discuss these options and maube provide a solution :-)
read more here in the sectiopn "usecases" of #321
There was a problem hiding this comment.
Thank you. I should've read the use cases first, which helped. I would have used two separate documents and linked them via external references. However, I see the appeal of having a single combined document for both SBOM and its operating environment. Perhaps component.type = "platform" indicates runtime without the need for the additional boolean flag?
|
Dropped this issue/request from the 1.6 milestone goals, and moved it to 1.7 for the following reasons: did not finish in time for 1.6, needs further discussion. need to migrate this PR after 1.6 was finished/published/merged ... |
| <components> | ||
| <component type="library" isExtraneous="false"> | ||
| <name>InvalidVersions</name> | ||
| <versionRange><![CDATA[>=9.0.0|<10.0.0]]></versionRange> |
There was a problem hiding this comment.
I just took the version-part of VERS.
maybe this was wrong, need to read the specs of verts again ...
|
superseded by #586 |
Sketch/proposal for #321
implementing with
components, because the objects referenced/required are actually used at runtime and therefore are considered a "component".SKIPPED THIS FOR NOW as I do not have a lot of practice with PB schema
Please help :-)