We want to use CycloneDX sbom to trace where the artficate from.
We noticed that there is externalReferences with name vcs could specify git repo.
But there is no name for specify git commit id.
Could CycloneDX introduce a name for git commit id?
Here is an example from spring-boot.
{
"type" : "library",
"bom-ref" : "pkg:maven/org.springframework.boot/spring-boot@3.5.4?type=jar",
"publisher" : "VMware, Inc.",
"group" : "org.springframework.boot",
"name" : "spring-boot",
"version" : "3.5.4",
"description" : "Spring Boot",
"scope" : "required",
"licenses" : [
{
"license" : {
"id" : "Apache-2.0"
}
}
],
"purl" : "pkg:maven/org.springframework.boot/spring-boot@3.5.4?type=jar",
"externalReferences" : [
{
"type" : "website",
"url" : "https://spring.io/projects/spring-boot"
},
{
"type" : "issue-tracker",
"url" : "https://github.com/spring-projects/spring-boot/issues"
},
{
"type" : "vcs",
"url" : "https://github.com/spring-projects/spring-boot"
}
]
}
We want to use CycloneDX sbom to trace where the artficate from.
We noticed that there is externalReferences with name
vcscould specify git repo.But there is no name for specify git commit id.
Could CycloneDX introduce a name for git commit id?
Here is an example from spring-boot.
{ "type" : "library", "bom-ref" : "pkg:maven/org.springframework.boot/spring-boot@3.5.4?type=jar", "publisher" : "VMware, Inc.", "group" : "org.springframework.boot", "name" : "spring-boot", "version" : "3.5.4", "description" : "Spring Boot", "scope" : "required", "licenses" : [ { "license" : { "id" : "Apache-2.0" } } ], "purl" : "pkg:maven/org.springframework.boot/spring-boot@3.5.4?type=jar", "externalReferences" : [ { "type" : "website", "url" : "https://spring.io/projects/spring-boot" }, { "type" : "issue-tracker", "url" : "https://github.com/spring-projects/spring-boot/issues" }, { "type" : "vcs", "url" : "https://github.com/spring-projects/spring-boot" } ] }