cyclonedx / cyclonedx.org Goto Github PK

The Use Cases page has a menu that displays on the right side of the page and which lists the use cases. ie, a list that is long, a list that will grow!

However, the functionality of the menu is impaired because it does not scroll properly (tested using both latest Firefox and latest Chrome).

If I want to see what is listed after "Service Definition" (currently, seven use cases) then I either have to scroll right down to the bottom of the page, or press "Page Down" 70 times. One can also Zoom Out to shrink font size and display the entire list without scrolling. But all of these are a pain.

Can navigation be improved?

followup of CycloneDX/specification#379
with the release of CycloneDX v1.6 we need to update use-cases and examples.

this ticket shall be a tracker for the needed work:

• update use-cases for component.authors(old: component.author) according to CycloneDX/specification#379
• add use-case for component.manufacturer according to CycloneDX/specification#379
• add use-case for metadata.manufacturer according to CycloneDX/specification#379
• update use-cases for metadata.manufactur(deprecated) -> metadata.component.manufacturer according to CycloneDX/specification#379
• all of #281 (comment)
• ... to be continued ...

The use-cases have short introductions to features and capabilities.
The guides give deeper insights.

The "use-cases" documents are often used as a quick start, that make people want to learn the details.
The "capabilities" documents are often used as a quick start, that make people want to learn the details.
To help people transition from entry levels to mature levels, the guide should be linked in the use-cases.

For example https://cyclonedx.org/use-cases/#properties--name-value-store
could link to https://cyclonedx.org/guides/sbom/extensibility/#cyclonedx-properties and others.

The Tool Center shows that there are 164 tools as of 30th November 2022.

This gives no indication of the rate of growth. I examined the history of tools.yml (and tools.json before that) and extracted data that I believe would make for an interesting graph. Hence this issue.... an enhancement suggestion

November 2022       164
October 2022        155
Sept 2022           152
August 2022         146
July 2022           135
June 2022           131
May 2022            129
April 2022          124
March 2022          119
February 2022       107
January 2022        100
December 2021       90
November 2021       86
October 2021        84
September 2021      81
August 2021         67
July 2021           67
June 2021           67
May 2021            63
April 2021          51
March 2021          51
February 2021       48
January 2021        48
December 2021       48
November 2021       47
October 2021        47
September           46
August 2021         44
July 2021           42

goal

have an automatism, that sets the label "tool-center" to issues, if they modify the tool-center driving files.

solution:

have a github workflowm, that

• is triggered on PRs creation/modification
  if the event modify the respective file _data/tools.yml
• has write-access to pullrequests, and no further permission
• assigns the label "tool-center" to the PR

Hello

I have created a new tool to visualise cyclonedx sboms in neo4j - https://github.com/javixeneize/neo4cyclone

I think this would be useful to be added under tools. What is the process to do that?

Thanks

• what i see:
  

my browser is reflecting my window manager being set to dark-mode.
therefore the default layout of a page is set to a darker background-color and a lighter foreground-color.

the web page's css sets the .body { color: #333; } but does not set a background color.
so my browser uses my (dark) default background color. which results in a dark on dark result. as shown in the screenshot.

a fix would be: set a proper background color in the body css or where it needs to apply.

When one embeds a link to the CycloneDX website in twitter, Slack, MS Teams (etc) then the link preview states:

OWASP CycloneDX is a lightweight software bill of materials (SBOM) standard designed for use in application security contexts and supply chain component analysis

I believe that this should be updated. CycloneDX is more than just SBOM... and the text sort of sells CycloneDX short. There has been more than one occasion when I have sent a link and then had to follow-up with extra info to explain. Also, if space allows, mention NTIA or similar?

Also, the use of the word lightweight has definitely been used against CycloneDX by those who would say "Use X rather than CycloneDX because CycloneDX is lightweight".

after CDX 1.6 was released, the following things needs updates:

• https://cyclonedx.org/theme/assets/images/cyclonedx-release-timeline.svg#center

Tools page points to the incorrect buildroot github repo. It should point to https://github.com/CycloneDX/cyclonedx-buildroot

Hello,

On the cycloneDX tool center, the tool "cve_bin_tool" is listed as CycloneDX complient but isn't.
See intel/cve-bin-tool#1368

Have a nice day

currently the JSON schema spec 1.2 has a $id of https://cyclonedx.org/schema/bom-1.2a.schema.json
see: https://github.com/CycloneDX/specification/blob/master/schema/bom-1.2.schema.json

the id is URL-like.
expected behaviour: requesting the URL does respond with the JSON schema document.

unfortunately this URL "https://cyclonedx.org/schema/bom-1.2a.schema.json" does not deliver the JSON schema.
the URL "https://cyclonedx.org/schema/bom-1.2.schema.json" does hold the JSON schema document.

Proposal: have both URLs deliver the current 1.2 JSON schema

We should provide guidance and an example of describing components down to the file level.

In some cases it is possible to determine a file version, i.e. DLLs. But for a lot of file types this isn't possible. And I suggest a hash is used as the version on those files.

I noticed that the vulnerability extension link is no longer working. It looks like the section headers are being rendered over the links and preventing click events from getting through to the links. It also affects the Reliza Hub link and the bottom half of the MedScan link.

I still haven't managed to get this running locally or I would look into it. I'll send a screenshot of the header element highlighted via slack.

current use-cases of https://cyclonedx.org/use-cases/ are like this:

{
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "acme-library",
      "version": "1.0.0"
    }
  ]
}

PROPOSAL: add the used json schema as $schema to all existing JSON examples,
so that more people produce correct CDX documents with the support of their IDE.

the used value for the property $schema must be the $id of the used schema. see https://github.com/CycloneDX/specification/blob/master/schema

Benefit: IDE/tools know the applied JSON schema and can act accordingly in their respective domain.

Example:

{
  "$schema": "http://cyclonedx.org/schema/bom-1.3.schema.json",
  "bomFormat": "CycloneDX",
  "specVersion": "1.3",
  "serialNumber": "urn:uuid:3e671687-395b-41f5-a30f-a58921a69b79",
  "version": 1,
  "components": [
    {
      "type": "library",
      "name": "acme-library",
      "version": "1.0.0"
    }
  ]
}

Add example use case that demonstrates differences between a software component and hash with additional external reference distribution hashes.

Hello,

It would be nice if we could filter tools with several tags on the tool center
ex: looking for Build-integration tools which are opensource

Thanks for your work!

See the video:

System:
Safari Version 16.3 (18614.4.6.1.5)
macOS Ventura 13.2 (arm64)