I'm wondering it would be very beneficial to expand the "pre-build" phase in 0x20-Lifecycle_Phases.md.
I imagine this phase implies quite a few important steps involved in the final assembly of an SBOM, including authoritative information about components acquired from a supplier up-stream, that may be
- …updated unilaterally by the component author.
- Author name
- Author email
- Component unique name
- Component version/release
- Project name
- Project repository
- Project contact information
- Project license
- Project issue/bug tracker URL
- List of know vulnerabilities this release has addressed
- etc..
- …updated unilaterally by the software distribution service (e.g. a native package source, like Debian's APT repositories, or FreeBSD's ports system)
- Package download URL
- Packager's name
- Packager's email
- Packager's security advisory URL
- List of patches/changes applied by the packager
- etc…
I'm wondering it would be very beneficial to expand the "pre-build" phase in 0x20-Lifecycle_Phases.md.
I imagine this phase implies quite a few important steps involved in the final assembly of an SBOM, including authoritative information about components acquired from a supplier up-stream, that may be