being specific on directory structure

[idunbarh]

Ref https://github.com/ossf/sbom-everywhere/blob/main/reference/sbom_naming.md

2. Directory Structure:

Store SBOM files in a dedicated directory, separate from the source code. This might be a top-level directory in the repository named something like SBOMs.

I see one of the objectives of this document is to drive common locations and naming conventions to facilitate SBOM discovery. Like #32, I would expect this document to recommend a specific directory name. The current language is ambiguous.

Would the WG be interested in the following language?

Store SBOM files in a dedicated directory, separate from the source code. This should be a top-level directory in the repository named sboms.

[sjn]

Agreed.

Related, I think there is a case for suggesting a standard system installation directory for SBOMs, so they can be found locally. E.g. /lib/sboms/$packagename.cdx.json.

[ljharb]

A path that likely requires sudo would be a very subpar choice, i think.

[sjn]

Ah, sorry. I'm specifically thinking of the situation after the build step (when an SBOM is produced), namely when the artifacts are installed. In this case I think accompanying SBOM files would be good to have installed in a standard location along with the build artifacts

Apologies for that. I guess a separate ticket is in order then? 🙂