Make CycloneDX reporter more configurable

[oheger-bosch]

What is the functionality you want to propose?

SBOMs in CycloneDX format contain a section with metadata about the main component described by the document. So far, CycloneDxReporter fills this section with the following values:

• type is set to FILE
• name is set to the URL of the analyzed repository
• version is set to the VCS revision of the repository

These hard-coded values are not always appropriate for some use cases. Therefore, the reporter should support configuration options to override them. This would be in-line with the SPDX reporter, which allows to configure some of the metadata properties.

What is the use-case for your enhancement?

The generated SBOMs are to be uploaded to a central SBOM database. There are some conventions for the metadata properties they need to adhere to.

Alternatives you have considered

As I have learned from a customer, the current values set by the reporter are a bit strange:

• The type FILE typically means some non-executable file, such as an office document. There are SBOM processing tools that do not expect that such components declare dependencies.
• Having a URL in the name property does not seem right.
• A commit hash in the version property is rather technical; for humans the version of the component/the artifact is more meaningful.

So, as an alternative - or in addition -, it would make sense to change the default values set by the reporter:

• A better default for the type could be Application.
• name could default to the name of the analyzed ORT project.
• version could default to the version of the analyzed ORT project.

I am not sure, however, whether changing these defaults could break something; this would in any case be a breaking change.

[sschuberth]

The generated SBOMs are to be uploaded to a central SBOM database.

Mind sharing which database / platform that is? If it would be e.g. DependencyTrack, which is publicly accessible, that could help people to reproduce the issues.

[oheger-bosch]

The generated SBOMs are to be uploaded to a central SBOM database.

Mind sharing which database / platform that is? If it would be e.g. DependencyTrack, which is publicly accessible, that could help people to reproduce the issues.

It is a proprietary one set up in our company.

[oheger-bosch]

Had a deeper look in the CycloneDX reporter. The generation of metadata depends on the singleBom configuration property. The values I listed in the ticket description are used if this property is true, which is the default. If it is false and an SBOM is generated for each project, the properties of the projects - such as group, name, and version - are correctly taken over. The component type is set to APPLICATION in this case (which is probably not strictly correct, since typically not every subproject of a multi-module build is an application).

The singleBom mode is the standard for us, assuming that a repository contains an application that may consist of multiple submodules. This is probably true in most cases. Therefore, we would still like to have better default values in this case and maybe have some configuration options to fine-tune single properties if the defaults do not fit.