-
-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use Cases: Files #34
Comments
Ok, currently suggesting guidance along the lines of this
|
Here's an example SBOM that I generated with a prototype of cyclonedx-gomod, using the We should probably include guidance on the length of those short hashes as well. Git doesn't use a fixed length, so "just do it like Git" may be ambiguous:
See https://git-scm.com/book/en/v2/Git-Tools-Revision-Selection I don't think we have to care about hashes of files overlapping, like git has to, because the version alone does not define the identity of a file. |
Yeah, collision is also less likely on the same file that has been modified. I wonder what the length should be though? 12 seems reasonable to me. |
Do we have agreement on recommending Do we have agreement on the use of SHA1? Should we recommend SHA-256 instead? Do we have agreement on recommending use of the first 12 characters of the hash? |
Another idea, should a recommended option be The Regarding SHA1 vs SHA-256, this shouldn't be used for integrity use cases, and the hash is being truncated. So I don't think the quality of the hash is as relevant for this. But it would be good to align to existing identification use cases like the short hash in git. Are there other existing ecosystem scenarios similar to this we should consider? |
Curious, would the build number be something that vendors typically include in their BOM? While sometimes you see build numbers being part of the version, most of the time vendors don't expose that info IME.
Not only is it fairly easy to recreate, it's also obvious what it means. Especially if the full hashes can be found in the component's Additionally, if you were to diff two BOMs from different builds, you'd get a lot of changes without the files actually being different. After all, everyone is and should be free to do what they feel is best. But the standard / best practice should be to choose a simple, reproducable and obvious way IMO. |
Yeah, I agree @nscuro. Ignore the build number idea. |
…o account versioning for files as per CycloneDX/cyclonedx.org#34 Signed-off-by: Paul Horton <[email protected]>
We should provide guidance and an example of describing components down to the file level.
In some cases it is possible to determine a file version, i.e. DLLs. But for a lot of file types this isn't possible. And I suggest a hash is used as the version on those files.
The text was updated successfully, but these errors were encountered: