SPDX serializer includes protobom as creator but CycloneDX serializer does not

Question

SPDX serializer includes protobom as creator but CycloneDX serializer does not

Closed this issue 9 months ago · 1 comments

When we use protobom as an SBOM generator, we set our own tool name as a Metadata.Tools entry:

	document.Metadata.Tools = append(document.Metadata.Tools,
		&sbom.Tool{Name: "Veramine SBOM", Version: "0.2.0", Vendor: "Veramine, Inc"})

When we generate SPDX documents, protobom-devel shows up alongside our tool name:

    "creationInfo": {
        "licenseListVersion": "3.20",
        "creators": [
            "Tool: protobom-devel",
            "Tool: Veramine SBOM-0.2.0"
        ],
        "created": "2023-10-23T20:41:15Z"
    },

When we generate CycloneDX documents, protobom-devel is not there:

  "metadata": {
    "tools": [
      {
        "vendor": "Veramine, Inc",
        "name": "Veramine SBOM",
        "version": "0.2.0"
      }
    ],

This is due to serializer_spdx23.go including it:

			Creators: []spdx.Creator{
				// Register protobom as one of the document creation tools
				{
					Creator:     fmt.Sprintf("protobom-%s", version.GetVersionInfo().GitVersion),
					CreatorType: "Tool",
				},
			},

and serializer_cdx.go not including it:

	if bom.Metadata != nil && len(bom.GetMetadata().GetTools()) > 0 {
		var tools []cdx.Tool
		for _, bomtool := range bom.GetMetadata().GetTools() {
			tools = append(tools, cdx.Tool{
				Vendor:  bomtool.Vendor,
				Name:    bomtool.Name,
				Version: bomtool.Version,
			})
		}
		metadata.Tools = &tools
	}

I don't have a strong opinion about including protobom-devel or not, but we should do the same in both. Anyone have a strong preference about whether protobom-devel should always or never be present?

Answer 1 · 2023-12-23T12:39:29.000Z

Stale issue message