Add cdx:maven for Maven ecosystem taxonomy

[skhokhlov]

fixes #106

[jkowalleck]

In case the docs are intended to document taxonomy that is already used, I have nothing to add.

In case the taxonomy is still in planning phase, I've added some remarks

[jkowalleck]

no need for comma separated. Better go with a multi-use.

Applied, it would be like

{
  "properties": [
  { "name": "cdx:maven:package:projectsAndScope", "value":"project1:scopeA" },
  { "name": "cdx:maven:package:projectsAndScope", "value":"project1:scopeB" },
  { "name": "cdx:maven:package:projectsAndScope", "value":"project2:scopeA" },
]
}

[skhokhlov]

Yes, I agree, multi-property way is better

[jkowalleck]

@skhokhlov, are these properties used already? if not, i'd suggest a change - #107 (comment)

[skhokhlov]

These properties are not used yet in CycloneDX plugins.

For cdx:maven:package:projectsAndScopes I also thought about using bom-ref instead of project name. Then it's possible to actually link project to a component from BOM. However, there is problem that bom-ref can be any string and it's not clear then how to split key from the value. As a solution, bom-ref can be encoded. @jkowalleck what of you think about it?

[jkowalleck]

These properties are not used yet in CycloneDX plugins.

For cdx:maven:package:projectsAndScopes I also thought about using bom-ref instead of project name. Then it's possible to actually link project to a component from BOM. However, there is problem that bom-ref can be any string and it's not clear then how to split key from the value. As a solution, bom-ref can be encoded. @jkowalleck what of you think about it?

Sorry, I do not understand. could you craft an example SBOM?

[skhokhlov]

Sorry, I do not understand. could you craft an example SBOM?

Sure

{
  "bomFormat" : "CycloneDX",
  "metadata" : {
    "component" : {
      "type" : "library",
      "bom-ref" : "bom-ref-root-project-1",
      "name": "root-project-1"
    }
  },
  "components" : [
    {
      "type" : "library",
      "bom-ref" : "bom-ref-sub-project-1",
      "name": "sub-project-1",
      "properties": [
        { "name": "cdx:maven:package:projectsAndScope", "value":"bom-ref-root-project-1:scopeA" },
        { "name": "cdx:maven:package:projectsAndScope", "value":"bom-ref-root-project-1:scopeB" }
      ]
    },
    {
      "type" : "library",
      "bom-ref" : "bom-ref-library-1",
      "name": "library-1",
      "properties": [
        { "name": "cdx:maven:package:projectsAndScope", "value":"bom-ref-sub-project-1:scopeA" },
        { "name": "cdx:maven:package:projectsAndScope", "value":"bom-ref-root-project-1:scopeB" }
      ]
    }
  ],
  "dependencies": [
    {
      "ref": "bom-ref-root-project-1",
      "dependsOn": ["bom-ref-sub-project-1", "bom-ref-library-1"]
    },
    {
      "ref": "bom-ref-sub-project-1",
      "dependsOn": ["bom-ref-library-1"]
    }
  ]
}

Using cdx:maven:package:projectsAndScope we know that bom-ref-library-1 is used in scopeA of project bom-ref-sub-project-1 and scopeB of project bom-ref-root-project-1. Instead of just project names, we have references to component from the SBOM. If we use project name as a key, we cannot certainly link it to a component.

So the question is should we use

{ "name": "cdx:maven:package:projectsAndScope", "value":"bom-ref-sub-project-1:scopeA" }

instead of

{ "name": "cdx:maven:package:projectsAndScope", "value":"sub-project-1:scopeA" },

?

[jkowalleck]

re: #107 (comment)

I understand, but this seems debatable, especially with https://cyclonedx.org/capabilities/bomlink/ in mind.

I'd suggest omitting cdx:maven:package:projectsAndScope from the taxonomy for now.
This way you have the required cdx:maven:package:test in place soon, and can continue implementing it.

The taxonomy can be extended and modified at any time.
After discussing the cdx:maven:package:projectsAndScope with your community, you can add it later, still.

How does this sound to you?