-
-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Resolve ambiguous definition of serialNumber
#474
Comments
related: #363 |
related: #97 |
The proposed description has some issues
Specifically with:
This would require the BOM creator to maintain a database of all the components (first-party and third-party) and ensure they reuse the same serialNumber. This requirement could not be fulfilled by the majority of existing BOM generators, especially those integrated into CI/CD pipelines. Is the goal of this change to make the serialNumber deterministic? |
We understand that there might be technical hurdles to reuse an unique identifier. Though, we are convinced that these can be overcome in most cases. Our aim is to be make sure that an SBOM creator uses the same serial number (or some other unique identifier for a specific SBOM) for the same primary component. The version field would be incremented for each newly created version. This allows the consumer to correlate different versions of an SBOM from the same SBOM-creator and detect changes between them. At least we imagine the following wording, as an weaker alternative to our original suggestion (though we are not really happy with it): |
When reading this discussion thread, I think I perceive a few subtle misunderstandings:
|
Current Behavior
serialNumber
is defined as an UUID and RECOMMENDED:version
is defined as an integer > 0:Proposed Behavior
In our opinion UUIDs and hence the CycloneDX
serialNumber
must be static ("unequivocal in time and space" = "temporally and spatially unique"), as long as an SBOM creator records the same software component, even if these software componets are altered: e.g. new versions, files or sub-components are added or removed, etc.Hence, we propose as the definition of
serialNumber
:Every BOM creator SHOULD use a unique serial number when describing a specific component, which MUST stay the same if the BOM is re-generated or the contents of this component have changed. If specified, the serial number MUST conform to RFC-4122. Use of serial numbers is RECOMMENDED.
The text was updated successfully, but these errors were encountered: