Replies: 1 comment
-
|
I'm not aware of any use case where a component has multiple CPEs or PURLs at the time is was built. A component is typically only going to have a single identity. Many organizations overload multiple CPEs and PURLs to account for data inconsistencies in external systems, such as the NVD. But that's a misuse of what a BOM is. I would recommend reading through the Component Identity Evidence section in the Authoritative Guide to SBOM on page 62. Example 2 on page 64 likely has what you're looking for. |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
Looking at the v1.6 spec it seems that a single component can have exactly one CPE and PURL.
I have two questions related to that.
Has there been any discussion to allow multiple values for each of those per component?
What would be the best way to represent additional CPE and PURL values within the constraints of the current latest spec? Would it be using custom properties on each component?
The use case would be to annotate a library component with related CPEs, or with PURLs from different ecosystems.
Beta Was this translation helpful? Give feedback.
All reactions