Have ScanCode output conformant to OpenChain Telco SBOM Guide #3915
Comments
|
ScanCode Toolkit is not limited to scanning source so setting a CISA SBOM Type would depend on what codebase was scanned. |
|
@mjherzog |
|
I am not sure about how much code scanning will make sense for the Design SBOM Type, but SCTK could be used for the Source, Build, Analyzed or Deployed SBOM Types so it seems that this would need to be a variable set from the commands to run SCTK. In ScanCode.io it could be a variable set when you generate the SBOM output from data stored in SCIO. It seems likely that this is just one of many SBOM-related data values that ScanCode (SCTK or SCIO) cannot determine from the scanned codebase or from the scan. For example, I would also argue that the Creator: Organization: should not be nexB unless it is an SBOM that nexB actually creates. The SBOM creator should be the organization (or person) who ran ScanCode. |
|
@vargenau Please see also aboutcode-org/dejacode#175. This issue starts a discussion about defining a new data structure in DejaCode for SBOMs separate from Products. This does not directly impact SCTK because we do not have a Product entity in the SCTK data structures, but it is related because we want/try to implement a shared/common data model across AboutCode modules, especially SCTK, ScanCode.io, DejaCode, VulnerableCode and PURL-DB. |
Short Description
OpenChain Telco SBOM Guide is available at https://openchainproject.org/news/2024/09/10/nokia-contributes-validator-for-the-openchain-telco-sbom-guide
To make it conformant, the following information should be added.
Currently, we have (in tag:value):
We should have:
And add the CISA SBOM type:
Possible Labels
Select Category
The text was updated successfully, but these errors were encountered: