Use annotation and properties in SBOMs for additional details? #1879
Description
ScanCode.io will generate a project result file as JSON after each run that includes project details like input sources, settings, package and dependencies found. Other SBOM tools such as grype and trivy are able to store this project result details within the SBOMs they generated using CycloneDX properties and SPDX annotations to store.
It might be a good idea for ScanCode.io to do the same, not yet sure which level of details should be capture in the SBOM.
Example from Trivy below
"purl": "pkg:apk/alpine/[email protected]?arch=x86_64&distro=3.17.0",
"properties": [
{
"name": "aquasecurity:trivy:LayerDiffID",
"value": "sha256:ded7a220bb058e28ee3254fbba04ca90b679070424424761a53a043b93b612bf"
},
{
"name": "aquasecurity:trivy:LayerDigest",
"value": "sha256:c158987b05517b6f2c5913f3acef1f2182a32345a304fe357e3ace5fadcad715"
},
{
"name": "aquasecurity:trivy:PkgID",
"value": "[email protected]"
},
{
"name": "aquasecurity:trivy:PkgType",
"value": "alpine"
},
{
"name": "aquasecurity:trivy:SrcName",
"value": "alpine-baselayout"
},
{
"name": "aquasecurity:trivy:SrcVersion",
"value": "3.4.0-r0"
}