[FEATURE]: Introduction of vulnerability type #491
Comments
|
Thanks for the suggestion. Perhaps this capability should be incorporated into the wider TM-BOM concepts that we are working on. We will be supporting threats, weaknesses, controls, etc in CycloneDX v1.7. When we get to controls, that may involve various types of "issues", such as enhancement requests or defects. Can you expand upon what it is that you're looking for? What specific use cases are you looking for CycloneDX v1.7 to achieve? |
|
My end goal is to be able to take an SBOM which might from a single source (dependency track) or a merged SBOM using information the Dependency Track SBOM and a SBOM which is created by a tool/script i maintain which is filled with issues in a particular version of my application based upon data we store in Jira. The 3 key aspects i want to have in my release notes are:
By using SBOM's i could even include Security enhancements and security vulnerabilities. and if wanted to take it a step further i could even list all the components as part of a technical release notes as opposed to customer friendly release notes. The biggest gain i see is by eliminating the need to manually produce the list of issues and at the same time potentially make my release notes even more comprehensive/detailed by using the data which is available from the SBOM. |
Describe the feature
I want to be able to describe not just security vulnerabilities in my software but also functional vulnerabilities ie defects and have this information available for release notes.
Possible solutions
Introduction of an optional field for vulnerabilities -> vulnerabilityType which is an enumeration of security, functional & presentational
Alternatives
Use custom properties
Additional context
I am attempting to produce release notes using a SBOM hence wishing to be able to Populate the SBOM with defects recorded in our issue tracker (jira).
The text was updated successfully, but these errors were encountered: