[FEATURE]: properties for externalReferences

[gernot-h]

Allow custom properties for externalReferences

CycloneDX already allows a rich set of https://cyclonedx.org/docs/1.6/json/#components_items_externalReferences_items_type to specify artefacts for a given component.

Such artefacts however usually have connected metadata like author, timestamps etc. Often, it would be very helpful to specify such metadata directly in the SBOM, e.g. to allow for filtering of references by metadata in postprocessing steps.

In my case, an internal component analysis tool enriches SBOMs of a (large) OS image with externalReferences to per-component analysis reports. This SBOM is then archived for later reference.

Now I want to take such an SBOM and download a subset of reports, e.g. filtered by author or date of creation. I could easily extend the analysis tool to store the reports' metadata in the SBOM if I had a way to express it. First, I tried to store the metadata with some syntax in the comment field, but decided that's not the way to go. So as of today, I need to either query the component analysis tool for metadata of all externalReferences in later processing steps or create a proprietary file along with the SBOM to hold this metadata.

Possible solutions

I think an easy solution could be to just allow custom properties in externalReferences as CycloneDX already has for components.

Alternatives

I also thought about create a 2nd SBOM listing the component analysis reports as components, using dependencies to connect them to the SBOM listing the actual components, but this doesn't really seem to be along the idea of SBOMs.

[jkowalleck]

sounds interesting.
So you want to make machine-readable "annotations" to a specific external reference?

An alternative i see is, to ass a bom-ref to the external reference, and use it in the existing "annotations" feature.

---

According to our https://cyclonedx.org/participate/standardization-process/
I would ask you to prototype the needed changes and showcase the impact

Please open a pull request, changing the schema and adding a test.

Next iteration is 1.7 - so the pull request's source/target branch would be https://github.com/CycloneDX/specification/tree/1.7-dev
The test cases would go somewhere into here: https://github.com/CycloneDX/specification/tree/1.7-dev/tools/src/test/resources/1.7

[gernot-h]

sounds interesting. So you want to make machine-readable "annotations" to a specific external reference?

An alternative i see is, to ass a bom-ref to the external reference, and use it in the existing "annotations" feature.

Looking at https://cyclonedx.org/specification/overview/, I'm not sure if annotations target my use case. My question is about storing "inherent", but arbitrary attributes of an external reference in the SBOM for later reference (e.g. a filesystem or upload timestamp, the creator of the referenced artefact, internal artefact IDs which are not part of its URL etc.).

According to our https://cyclonedx.org/participate/standardization-process/
I would ask you to prototype the needed changes and showcase the impact

Please open a pull request, changing the schema and adding a test.

Will do that asap!