Should enrichment modify or add to the tools noted in the SBOM

[garethr]

Good question from @rnjudge https://twitter.com/rosejudge5/status/1666879138739916800

how is SBOM creation metadata handled when the SBOM is changed? Is the document creation metadata changed to reflect the new creator?

Warrants investigation. Parlay is adding to, rather than recreating, the original content. You ideally still want to know what tool generated the list of packages, but (separately) knowing that some of the information came from Parlay would be useful.

[mcombuechen]

Both CycloneDX and SPDX should support extending an already available list of creation tools, and add Parlay as an additional entry while maintaining any other tools that might have come before it.

• https://cyclonedx.org/docs/1.4/json/#metadata_tools
• https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#68-creator-field

[rnjudge]

The trouble with adding a creator instance to the original SPDX document is that the timestamp of when Parlay enriches the SBOM and when the SBOM is actually created will be different (in 2.3 at least) and simply adding a creator would imply that those timestamps were the same. The original SBOM should not be modified.

You think could also use an amends relationship from the original document to point to another version of the SBOM that has been enriched. I think you could also enhance the SBOM using annotations of some sort?. to Adding @goneall here because he will have a better idea.

Note that in 3.0 this will be much easier because of the profiles being added. In SPDX 3, you can put enhancement information into a new file which could reference the original one.

[goneall]

Agree with @rnjudge comments above - making amendments to the original SBOM would be the preferred approach. That would allow clear separation of the creation information.

There are a couple of ways you could do this in SPDX:

• create a complete copy of the SBOM + the amended information then have a single amends relationship back to the original document
• create a skinny non-SBOM with just the changed elements and have an amends relationship back to each modified element

I personally like the first approach - seems simpler and in the spirit of this utility.

You can also use Annotations - however, they are unstructured and may not be easily machine understood by the receiver.