Support additional external references on main artifact #421

ppkarwasz · 2023-11-04T14:07:17Z

Version 1.5 of CycloneDX introduces new interesting external reference types, such as vulnerability-assertion (VEX), exploitability-statement (VDR) or static-analysis-report.

It would be useful to be able to add such references to the main component of the SBOM through a plugin configuration like this:

<configuration>
  <externalReferences>
    <reference type="exploitability-statement">
      <url>https://...</url>
    </reference>
  </externalReferences>
</configuration>

(the proposed schema is identical to the CycloneDX schema).

This configuration would apply add additional <reference> elements:

for simple SBOMs only to the /metadata/component/externalReferences element of the SBOM,
for aggregate SBOMs also to the /components/component/externalReferences elements representing Maven modules.

Such a feature could easily replace #414.

The text was updated successfully, but these errors were encountered:

The `cyclonedx-maven-plugin` has still some limitations that prevent it from publishing a reproducible `serialNumber` (CycloneDX/cyclonedx-maven-plugin#420) and adding a reference to a VEX document (CycloneDX/cyclonedx-maven-plugin#419 and CycloneDX/cyclonedx-maven-plugin#421). This PR provides a temporary workaround that will allow us to produce an CycloneDX (only the XML version), enhanced with these two elements.

* Add `serialNumber` and VEX references to generate SBOMs The `cyclonedx-maven-plugin` has still some limitations that prevent it from publishing a reproducible `serialNumber` (CycloneDX/cyclonedx-maven-plugin#420) and adding a reference to a VEX document (CycloneDX/cyclonedx-maven-plugin#419 and CycloneDX/cyclonedx-maven-plugin#421). This PR provides a temporary workaround that will allow us to produce an CycloneDX (only the XML version), enhanced with these two elements. --------- Co-authored-by: Volkan Yazıcı <volkan@yazi.ci>

Signed-off-by: Volkan Yazıcı <volkan@yazi.ci>

* Add support for custom external references (#421) Signed-off-by: Volkan Yazıcı <volkan@yazi.ci>

hboutemy · 2024-01-23T04:14:33Z

done in #428

ppkarwasz mentioned this issue Nov 4, 2023

Add serialNumber and VEX references to generate SBOMs apache/logging-parent#56

Merged

vy mentioned this issue Nov 6, 2023

Allow extending the generated SBOM #414

Closed

This was referenced Nov 8, 2023

[MS5] SBOM Support & Security apache/logging-log4j2#1707

Closed

Add support for custom external references #428

Merged

hboutemy added the enhancement label Nov 15, 2023

hboutemy pushed a commit that referenced this issue Dec 9, 2023

Fix JsonUnit baseline to a Java 8 compatible version (#421)

e8dd5cb

Signed-off-by: Volkan Yazıcı <volkan@yazi.ci>

hboutemy pushed a commit that referenced this issue Jan 15, 2024

Add support for custom external references (#428)

8836cbd

* Add support for custom external references (#421) Signed-off-by: Volkan Yazıcı <volkan@yazi.ci>

hboutemy closed this as completed Jan 23, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support additional external references on main artifact #421

Support additional external references on main artifact #421

ppkarwasz commented Nov 4, 2023 •

edited

Loading

hboutemy commented Jan 23, 2024

Support additional external references on main artifact #421

Support additional external references on main artifact #421

Comments

ppkarwasz commented Nov 4, 2023 • edited Loading

hboutemy commented Jan 23, 2024

ppkarwasz commented Nov 4, 2023 •

edited

Loading