CycloneDX equivalents for SBOM guidelines

[twaugh]

https://github.com/RedHatProductSecurity/security-data-guidelines/blob/main/docs/sbom.md#formats:

In the future, we may add similar guidelines for CycloneDX and SPDX 3.0.

A need for CycloneDX guidelines comes from this Konflux CI ADR: konflux-ci/architecture#301
specifically here: konflux-ci/architecture#301 (review)

The specific case at hand is about identifying the git tree from which with the specific component was built, for example like this in an SPDX "package" object:

  "externalRefs": [
    {
      "referenceCategory": "PACKAGE-MANAGER",
      "referenceType": "purl",
      "referenceLocator": "pkg:github/my-org/my-app@7d35c64261eeb9e9f8b2b4b0d119366dda99c6fd"
    }
  ]

The discussion in the ADR PR describes potential ways to express this in CycloneDX for a "component":

• "externalReferences": {
    "type": "vcs",
    "url": "https://github.com/example/project.git"
  }

  ...but which package should this be a part of? Adding it to the binary package seems incorrect, so perhaps there should be a source package representing the source code within the git repository, with these external references, and with a GENERATED_FROM relationship indicating the binary artifact was generated from the source code (by eg compilation).

• "pedigree": {
    "commits": [
      {
        "uid": "7638417db6d59f3c431d3e1f261cc637155684cd",
        "url": "https://github.com/example/project/commit/7638417db6d59f3c431d3e1f261cc637155684cd"
      }
    ]
  }

  ...but isn't pedigree.commits for changes to the component relative to the external references?
• a combination of the above

[jasinner]

As suggested by you (Tim) in the ADR, I think it makes sense to use pedigree.ancestor directly on the image-index container itself, which should be the main metadata.component for the CDX SBOM. This keeps the container CDX SBOMs produced by Konflux similar to existing SBOMer generated CDX SBOMs for RPM builds in Brew.