SPDX and Cyclone DX have field for additional metadata so pass in. My Organisation faces similiar problems they want to solve with the metadata. For Example “tag” the Team that created the SBOM. What are the plans for the syft format on how to solve this. Could a “Tags” Area (that is often seen by cloud providers) be something to consider?
1 Like
Would these tags just be arbitrary strings and get put in a list somewhere in the Syft SBOM and have no other purpose? Do these map to any specific fields that SPDX or CDX defines or would this be strictly additional metadata provided by the syft user?
Hey Keith,
In our case these would be key value pairs. An example could be when you created the Sbom from a OCI Image there could be a field “registry” and “SHA” or something like “teamname”. I took a fast look into cyclonedx and there seems to be properties: Extended Use Case: Extensibility through CycloneDX Properties | CycloneDX that suit that use case. For syft I would love to have something similar but also that I can specify these via the cli when creating my sbom.
Thanks for your fast response!