stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity
Files
main
git.stella-ops.org/docs/contracts/sbom-volatile-fields.json
master c70e83719e finish off sprint advisories and sprints
2026-01-24 00:12:43 +02:00

52 lines
1.7 KiB
JSON
Raw Permalink Blame History

{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"title": "SBOM Volatile Fields Contract",
"description": "Authoritative list of SBOM fields stripped before canonicalization to ensure deterministic hashes. Referenced by SbomNormalizer.",
"version": 1,
"cyclonedx": {
"strip": [
{
"path": "serialNumber",
"scope": "root",
"rationale": "UUID regenerated on every BOM creation; not content-derived."
},
{
"path": "metadata.timestamp",
"scope": "metadata",
"rationale": "Generation timestamp varies per run; not content-derived."
},
{
"path": "metadata.tools",
"scope": "metadata",
"rationale": "Tool name/version/vendor varies across scanner installs; does not reflect scanned content."
},
{
"path": "metadata.authors",
"scope": "metadata",
"rationale": "Author identity varies per operator; does not affect component inventory."
}
],
"specVersions": ["1.4", "1.5", "1.6", "1.7"]
},
"spdx": {
"strip": [
{
"path": "creationInfo.created",
"scope": "creationInfo",
"rationale": "Timestamp of SPDX document creation; varies per run."
},
{
"path": "creationInfo.creators",
"scope": "creationInfo",
"rationale": "Tool identifiers include version strings (e.g., 'Tool: syft-1.2.3'); varies across installs."
},
{
"path": "creationInfo.licenseListVersion",
"scope": "creationInfo",
"rationale": "Tracks upstream SPDX license list version available at scan time; not content-derived."
}
],
"specVersions": ["2.2", "2.3", "3.0", "3.0.1"]
}
}
Reference in New Issue View Git Blame Copy Permalink