Skip to content

Fm/vcs link #124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Nov 17, 2025
Merged

Fm/vcs link #124

merged 2 commits into from
Nov 17, 2025

Conversation

@tamilari
Copy link
Contributor

@tamilari tamilari commented Nov 7, 2025

feat: add Vcs informations to sbom

For spdx, add the Vcs information in the 'download_location' field. Format this string according to the spdx documentation. It is not possible to add the url to the web interface for browsing the repository, since there is no field for this information.

For cdx add the Vcs information and the url to the web interface to the 'external_refs' object with the type set to 'vcs'.

This Vcs information can be useful for analysing the packages (e.g. how well a package is maintained and what the risk factor is).

fmoessbauer
fmoessbauer reviewed Nov 7, 2025
View reviewed changes
@tamilari tamilari force-pushed the fm/vcs-link branch 2 times, most recently from 89bc06e to 88dedcf Compare November 7, 2025 17:46
Urist-McGit
Urist-McGit reviewed Nov 10, 2025
View reviewed changes
@tamilari tamilari force-pushed the fm/vcs-link branch 2 times, most recently from a7304d6 to 28d22b6 Compare November 11, 2025 13:05
@Urist-McGit
Copy link
Collaborator

Urist-McGit commented Nov 17, 2025

LGTM. @gernot-h @fmoessbauer any more comments? I would like to merge this soon so we can get another release ready.

@fmoessbauer
Copy link
Member

fmoessbauer commented Nov 17, 2025

LGTM. @gernot-h @fmoessbauer any more comments? I would like to merge this soon so we can get another release ready.

I also propose to merge this as is. The code part is fine and it also looks like we agreed on the semantics.

@gernot-h
Copy link
Member

gernot-h commented Nov 17, 2025

Well, as discussed in the unresolved discussion above, I would suggest to not emit the "vcsbrowser" information for the CDX format, as there doesn't seem to be a matching reference type for it and it might create confusion to have two "vcs" references. However, if you have good reasons to keep it, @fmoessbauer or @Urist-McGit, I can also live with it, it wouldn't bother me personally.

@tamilari
feat: add Vcs information to sbom
309f080 
For cdx add the Vcs information and the url to the web interface to the
'external_refs' object with the type set to 'vcs'.

For spdx there there isn't a suitable category or type for this in the
externalReferences field. Therefore, we use the Other category with the
custom types 'vcs' and 'vcsBrowser'.

This Vcs information can be useful for analysing the packages (e.g. how
well a package is maintained and what the risk factor is).

Signed-off-by: Tamino Larisch <[email protected]>
@tamilari
test(generation): add test for vcs informaiton
addd530 
Signed-off-by: Tamino Larisch <[email protected]>
@tamilari
Copy link
Contributor Author

tamilari commented Nov 17, 2025

Okay, I've removed the "vcsbrowser" information. Thank you for your help!

@Urist-McGit Urist-McGit merged commit 5b55f43 into siemens:main Nov 17, 2025
11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gernot-h gernot-h gernot-h left review comments

@fmoessbauer fmoessbauer fmoessbauer left review comments

@Urist-McGit Urist-McGit Urist-McGit left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tamilari @Urist-McGit @fmoessbauer @gernot-h