[discussion]: hash value of source code for cyclonedx #449
Description
This is more kind of dicussion on possible value for one of the feature called comp_with_source_code_hash, which checks whether component contains hash values for source code or not. For SPDX, this refers to the PackageVerificationCode under Packages attribute, while for CycloneDX, it assumed that no such attributes are present for it. But I would like to initiate a discussion on the same:
So, if we looks at the meaning of this feature, it means "the hash value of the source code". But whose hash value is this ? It is the hash value of the "source code", which is referred via comp_with_source_code_uri.
And in CycloneDX, this attribute is represent by:
externalReferences->type (vcs)
For examples:
"externalReferences": [
{
"url": "https://github.com/k8s.io/kubectl",
"type": "vcs"
}
]If so, then externalReferences also provides field to add the hash value for the corresponding type, Look at the structure of externalReferences here: https://cyclonedx.org/docs/1.6/json/#components_items_externalReferences
It has type field for external references, along with that it also provides field to provide hash value for those external references via : https://cyclonedx.org/docs/1.6/json/#components_items_externalReferences_items_hashes
So, if we wrap it as whole with comp_with_source_code_uri and comp_with_source_code_hash, then CycloneDX will be represented in this way:
"externalReferences": [
{
"url": "https://github.com/k8s.io/kubectl",
"type": "vcs",
"hashes": [
{
"alg": "SHA-256",
"content": "1aaa94260619fa7a79c64bb0549f7005c9b422306d88251cbcb43f095d978a11"
}
]
}
]Hence, the value of:
comp_with_source_code_uriishttps://github.com/k8s.io/kubectl, andcomp_with_source_code_hashis1aaa94260619fa7a79c64bb0549f7005c9b422306d88251cbcb43f095d978a11