Store analysis metadata in the CycloneDX SBOM #541
Description
There is currently no easy way to determine by reading the SBOM alone what commit or as-of date was used to generate it. To solve this problem, store the data in the BOM's Metadata as Property values.
- Analysis ID
- The analysis ID that this SBOM was created for
- Property name
freshli:analysis:id
- Analysis Date
- The timestamp when the SBOM file was created
- Property name
freshli:analysis:creation-date
- As-Of Date
- The historical point in time that this SBOM was generated for
- Property name
freshli:analysis:as-of-date
- Source code repository
- Repository URL value
- Property name
freshli:source:url
- Source code branch
- The name of the branch that was analyzed.
- Property name
freshli:source:branch
- Source code local path
- The full path of the checked out source code repository that was analyzed
- Property name
freshli:source:clone-path
- Commit ID
- For Git repositories, this is the SHA hash
- Property name
freshli:commit:id
- Commit Date
- The date when the commit was merged into the analyzed branch. This may be different than the date that the commit was created.
- Property name
freshli:commit:date
It will be the responsibility of the core CLI to augment language agent-generated SBOMs with this information.