From 231167ebbdefdd82b72d41682c830e83449e8f3a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Martin=20Prpi=C4=8D?= Date: Wed, 9 Oct 2024 11:27:00 -0400 Subject: [PATCH] Clarify SBOM type for release-time SBOMs ...to better align with the CISA SBOM type definitions. --- docs/sbom.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/docs/sbom.md b/docs/sbom.md index 8130ca8..e8006a5 100644 --- a/docs/sbom.md +++ b/docs/sbom.md @@ -56,13 +56,14 @@ components used during the build process to produce the final artifact as well a process itself. This SBOM type also aligns with the _Build_ SBOM type from CISA's guidance on [Types of SBOM Documents](https://www.cisa.gov/sites/default/files/2023-04/sbom-types-document-508c.pdf). -_Release-time_ SBOMs are generated when an artifact is released or published. These SBOMs build upon build-time -SBOMs by incorporating additional metadata, such as the repositories or locations where the artifact is +_Release-time_ SBOMs are created when an artifact is released or published. These SBOMs build upon build-time +SBOMs by incorporating additional metadata, such as the repositories or locations where an artifact is published, and associating it with the relevant product information if there is any. Release-time SBOMs reflect the -state of the software as it is distributed to end users. This SBOM type is close to the _Deployed_ type as defined -by CISA, but it reflects the state of the product that _would_ be installed by a given end user. +state of the software as it is distributed to end users. This SBOM type should still be considered as a _Build_ SBOM +as defined by CISA, but it simply includes additional metadata that is not available during the build process and is +added later on. For lack of a better term, we could call these _Curated Build SBOMs_. -Red Hat's publicly available SBOMs are of the "release-time" type, including details about where an artifact +Red Hat's publicly available SBOMs are of the release-time type, including details about where an artifact can be located after being released. **Example**: