Generate SBOMs with framework type components
Proposal
Gemnasium only generates SBOM that contains components of component type library
,
but the CycloneDX specification includes the ability to generate components of type framework
. We should update the analyzer, so that it can distinguish between a framework
and a library
.
Additional info
I had previously asked in the CycloneDX Slack workspace about why this type was needed, and got some information from one of the community members.
Recently, I’ve been working on a project that involves reading and creating CycloneDX SBOMs, and the distinction between library and framework peeked my interest. I tried searching Slack for more context as to why the distinction was made, but I couldn’t find anything. Is there a specific use case (or use cases) where the framework component type might be useful? I’d like to learn more about this so I can take them into account. Thanks in advance!
eg: spring is a framework since it adds some entrypoints into the application. cdxgen tries its best to tag such frameworks which downstream sca tools can use to perform advanced analysis such as reachability etc. hope this helps.
Thank you, that makes a lot of sense and in that context can be very helpful. We also support generating CycloneDX SBOMs, but hadn’t considered this angle previously. I’d like for our generators to stay in line as much as possible with cdxgen outputs. Is there a list of known frameworks built into it?
There is a hard coded list here
Links
- List of known frameworks
- Forum thread that mentions using this to check if found frameworks are supported.