feat: add cdx:reproducible property to bom metadata#59
feat: add cdx:reproducible property to bom metadata#59SachinAditya wants to merge 6 commits intoCycloneDX:mainfrom
Conversation
Issue CycloneDX#16 highlights that when an SBOM is generated in reproducible mode, this information is not explicitly visible in the resulting CycloneDX BOM. Although the tool already adjusts fields such as the serial number, timestamp, and sorting behavior to support reproducible output, there is currently no clear, machine-readable indicator in the BOM metadata to signal that reproducible mode was used. This PR addresses that gap by adding a CycloneDX property named cdx:reproducible under metadata.properties. The property is set to "true" when the SBOM is generated with the outputReproducible option enabled, and "false" otherwise. The property is added after the BOM is created, keeping the existing builder logic unchanged and preserving separation of concerns. This approach aligns with the CycloneDX property taxonomy and follows patterns used in other CycloneDX tooling. With this change, consumers of the SBOM can easily determine whether the document was generated in reproducible mode, improving transparency and auditability without altering existing behavior. Signed-off-by: Sachin Vishwakarma <[email protected]>
|
some checkboxes were not ticked. |
src/plugin.ts
Outdated
| options.gatherLicenseTexts, | ||
| logger) | ||
| // ensure metadata.properties exists | ||
| if (!bom.metadata.properties) { |
There was a problem hiding this comment.
when shall this condition be false?
src/plugin.ts
Outdated
|
|
||
| // add cdx:reproducible property | ||
| bom.metadata.properties.add( | ||
| new CDX.Models.Property( |
There was a problem hiding this comment.
please use const enums for well-known strings like these. similar to https://github.com/CycloneDX/cyclonedx-node-npm/blob/main/src/properties.ts
|
tests are failing. |
Signed-off-by: Sachin Vishwakarma <[email protected]>
Signed-off-by: Sachin Vishwakarma <[email protected]>
Signed-off-by: Sachin Vishwakarma <[email protected]>
Signed-off-by: Sachin Vishwakarma <[email protected]>
|
your changes in https://github.com/CycloneDX/cyclonedx-esbuild/pull/59/changes/45665f542c9bf17fe921228208660ca2efcca47blook look like your AI agents are completely broken? :-P instead of fixing yourt broken tests, youbroke the test runner, and remove some docs, and changed a lot unexpectedly. |
|
current PR is changing a lot of code unintentionally, therefore I'll put it as a draft . |
Signed-off-by: Sachin Vishwakarma <[email protected]>
|
Thanks for pointing that out — you’re absolutely right. I went too far trying to fix CI issues and unintentionally changed more than required for this PR. That was my mistake. I’ll clean this up by:
Sorry for the noise, and thanks for the patience. |
2 participants
Issue #16 highlights that when an SBOM is generated in reproducible mode, this information is not explicitly visible in the resulting CycloneDX BOM. Although the tool already adjusts fields such as the serial number, timestamp, and sorting behavior to support reproducible output, there is currently no clear, machine-readable indicator in the BOM metadata to signal that reproducible mode was used.
This PR addresses that gap by adding a CycloneDX property named cdx:reproducible under metadata.properties. The property is set to "true" when the SBOM is generated with the outputReproducible option enabled, and "false" otherwise.
The property is added after the BOM is created, keeping the existing builder logic unchanged and preserving separation of concerns. This approach aligns with the CycloneDX property taxonomy and follows patterns used in other CycloneDX tooling.
With this change, consumers of the SBOM can easily determine whether the document was generated in reproducible mode, improving transparency and auditability without altering existing behavior.
Description
A clear and concise summary of the change and which issue (if any) it fixes. Should also include relevant motivation and context.
Resolves or fixes issue:
AI Tool Disclosure
[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie etc.][e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro etc.][Summarize the key prompts or instructions given to the AI tools]Affirmation