Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings
Discussion options

javihernandez
Sep 19, 2022

First of all, thanks for providing such library. It works great, documentation is neat and saved our lives in the duty of tackling our approach to implement SBOM in the AlmaLinux Build System (from where we build AlmaLinux OS).

This is more a question rather than an issue and please, forgive me if it's a stupid question, but I'm pretty new to SBOM and I felt that before designing our workflow, it was worth asking here (maybe this is not even the right place to ask?).

So far, we're already generating SBOMs of some of the artifacts that the Build System creates. Since these artifacts can change over time, we were wondering what is the right approach to update an existing SBOM since I couldn't find anything relevant or any "good practices" on the subject. I tried to set the version field when generating a new BOM, but so far, it ends up being a new field called ersion.

Other than that, technically, it shouldn't be that difficult, we can store our generated SBOMs somewhere and then use these files to take the relevant serialNumber and increase the version manually, but still, we would like to know your thoughts on this.

Thanks again,
Javi
You must be logged in to vote

Replies: 1 comment · 2 replies

Comment options

jkowalleck
Sep 20, 2022
Maintainer

Updating and existing SBOM in JSON/XML format would start with reading ans SBOM, going through de-serializing and de-normalizing to having a SBOM data model that can be altered, so that this modified result can be put to JSON/XML later.
The described feature is powered by #185 - @madpah is working on this via #290 and it is planned to be part of release 4.0.0
You must be logged in to vote
2 replies
@javihernandez
Comment options

javihernandez Sep 20, 2022
Author

Hi @jkowalleck,

and thanks for your quick response! I should have looked around a bit more before asking, but I guess your answer makes it crystal clear to anybody wondering the same as me. There's no rush on our side as we are now starting our work on SBOM generation.
I guess that, for now, I don't have any specific question about the upcoming changes on the library. I'll probably wait until they're ready and get back to you only in the case we still have questions/doubts about it.

Thanks!
@jkowalleck
Comment options

jkowalleck Sep 20, 2022
Maintainer

:-D feedback or discussions from downstream users of the library are highly appreciated.
Feel free to join the dedicated "#python" CycloneDX slack channel at : https://cyclonedx.org/slack/invite
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
💡
Ideas
Labels
None yet
2 participants
@javihernandez @jkowalleck
Converted from issue

This discussion was converted from issue #307 on September 20, 2022 07:20.

Morty Proxy This is a proxified and sanitized view of the page, visit original site.