Add BOM Meta Endpoint #2
Comments
|
If this is acceptable, I'll create a PR that adds this to the spec and we can figure out the details. |
|
Should we include group, name and version of the software the BOM is for as well? |
I don't think so. CycloneDX has these things. SPDX does not. IMO, I think we keep it strictly metadata about the BOM, not its contents. |
|
This is much like HEAD in HTTP. I like this idea. |
HEAD has no body returned. rfc9110 9.3.2 |
|
I understand the concept in this ticket, but it is not clear in this ticket why such an endpoint is required and in what scenarios this provides value. @stevespringett, @oej - is there anything that can be added as a reference or explanation (for myself and the wider community)? |
|
Note that this ticket is pre-TEA, it does not refer to current work. |
The idea behind a BOM Meta endpoint is to provide format, hash, and external signature information.
The BOM Meta retrieval would work similar to the existing BOM retrieval, but would return metadata rather than the BOM itself.
As an example, here's a snippet response for what I'm thinking about being returned:
{ "spec": { "format": "CycloneDX", "version": "1.4", "mime-type": "application/vnd.cyclonedx+json", }, "published": "2022-03-07T15:50+00Z", "checksum": [ { "alg": "SHA-256", "value": "CF80CD8..." }, { "alg": "SHA-512", "value": "CF80CD8..." }, { "alg": "SHA3-256", "value": "CF80CD8..." }, { "alg": "SHA3-512", "value": "CF80CD8..." }, { "alg": "BLAKE3", "value": "CF80CD8..." } ], "signature": [ ] }I think
algshould be an enum with only those supported algorithms.As for signatures, it would be ideal if we could support external signature files, signature services (e.g sigstore), and external inline.
The text was updated successfully, but these errors were encountered: