SBOM semantics and missing properties

[shoeffner]

We currently use a custom generator to build SBOMs but are looking into switching to this extension.

I noticed that several fields are missing (e.g., the cpe, the license texts, etc.) and some have different semantics – for example, as far as I understand, the "author" of a component (or, in newer SBOM spec versions, "authors"; maybe also manufacturers?) would be the person/organization who wrote the source code, created the model, etc., while in conan the "author" is the author of the recipe. Maybe the conan recipe author would be fitting for "supplier" field, or . The author of the BOM, however, should always be Conan (and not the author of the recipe).

I have to admit that I am still unsure about the difference between author and manufacturer (especially since "author" is for "manual" processes and "manufacturer" for automated processes...), but that's maybe not that important right now.

• Are there any plans to streamline this (and maybe support the specs 1.5 and/or 1.6)?
• Is there a good way within conanfiles outside of conan_data to specify other relevant fields? (That's what we do right now, we utilize the conan_data with a hash sbom which then contains copyright, cpe, and a couple of other entries which we need; plus, we always extract license texts into a LICENSE file which we place next to the recipe so we can even include that in our SBOM generation)

[memsharded]

Hi @shoeffner

You might be interested in this discussion #143. Some folks from cyclonedx are providing some guidance and feedback there, we are definitely not experts in this, and we don't have the bandwidth for it, so here we are relying mostly on community and other experts guidance.

[shoeffner]

Oh I didn't see that one, thanks. While this is related (with respect to the author field, so I'll chime in on the other issue), I will keep this open as this is also about additional data.

[johan-boule]

Just for information, the cyclonedx-python-lib >=5.0.0 is breaking Conan2's SBOM extension on some conan packages because they have a strict validation regarding the number of licenses.

I encountered the issue with the openjdk conanfile.py which declares 2 licences:
license = "GPL-2.0-only WITH Classpath-exception-2.0", "GPL-2.0-only WITH OpenJDK-assembly-exception-1.0"

If I edit the file to keep only one licence, this gets rid of the error.

I tried to locate in which version of the cyclonedx-python-lib this check was added but this is present in the minimal version required, 5.0.0 and the previous 4.2.3 version doesn't have the same python modules names so the import raises an exception.

Certainly experts will be needed to understand how to do a proper fix because the specification is full of jargon.

[jngrb]

I'd would find the CPE information especially useful.

You might take a look at how syft generates the CPE from the the processed conan package information e.g. here:

https://github.com/anchore/syft/blob/e4e985b9b05b9570648399adf292ab7f659b4cef/syft/pkg/cataloger/internal/cpegenerate/generate.go#L137