Is there any filed for commit id? #664
Description
We want to use CycloneDX sbom to trace where the artficate from.
We noticed that there is externalReferences with name vcs could specify git repo.
But there is no name for specify git commit id.
Could CycloneDX introduce a name for git commit id?
Here is an example from spring-boot.
{
"type" : "library",
"bom-ref" : "pkg:maven/org.springframework.boot/[email protected]?type=jar",
"publisher" : "VMware, Inc.",
"group" : "org.springframework.boot",
"name" : "spring-boot",
"version" : "3.5.4",
"description" : "Spring Boot",
"scope" : "required",
"licenses" : [
{
"license" : {
"id" : "Apache-2.0"
}
}
],
"purl" : "pkg:maven/org.springframework.boot/[email protected]?type=jar",
"externalReferences" : [
{
"type" : "website",
"url" : "https://spring.io/projects/spring-boot"
},
{
"type" : "issue-tracker",
"url" : "https://github.com/spring-projects/spring-boot/issues"
},
{
"type" : "vcs",
"url" : "https://github.com/spring-projects/spring-boot"
}
]
}