Re: [Buildroot] [PATCH v5 7/8] utils/generate-cyclonedx: add 'id' property to resolves

From: Thomas Perale via buildroot <buildroot@buildroot.org>
To: Quentin Schulz <quentin.schulz@cherry.de>
Cc: Thomas Perale <thomas.perale@mind.be>, buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH v5 7/8] utils/generate-cyclonedx: add 'id' property to resolves
Date: Thu,  9 Apr 2026 22:24:52 +0200	[thread overview]
Message-ID: <20260409202452.299708-1-thomas.perale@mind.be> (raw)
In-Reply-To: <8a81626c-cac7-40c9-adb1-56d8ef8b4067@cherry.de>

Hi Quentin,

Thanks for taking the time looking at this series. Really helpful to discuss
the new features.

> Are you aware of tools that were broken before this? Would be nice for the commit log :)

None that I'm aware, I just found it odd that the `id` property wasn't used
when adding support for it over security.buildroot.org and gave it a second
look.

> My opinion is this isn't v1.7-specific but rather a "fix" or "improvement" that we don't necessarily need to have in this series. What do you think of having this as a separate patch (or at the beginning of the series so the series can be applied partially easily?).?

Sure, good idea.

> Honestly strange we have id and name for seemingly the same thing. The introducing commit was 2512eb835a46 ("#21 - Added support for patches and unit tests for JSON schema") for both and https://github.com/CycloneDX/specification/issues/21 doesn't shine a light of why for either. The only hint is https://github.com/CycloneDX/specification/issues/21#issuecomment-625104801 where
> 
> ```
>             <issue type="[ defect | enhancement | security ]" ref="7bc2d01f-a0e8-4ae2-a274-7bd188f89926">
>                 <id>18</id>
>                 <name>LDAP Injection</name>
>                 <description>blah blah</description>
>                 <source>NPM Advisories</source>
>                 <url>https://www.npmjs.com/advisories/18</url>
>             </issue>
> ```
> 
> With ID being the number assigned by npm (though you'll note that the link is a redirect to a CVE in the GitHub Advisory Database) and name the title of the CVE.
> 
> The example in the same comment for CVE on NVD sets id and name to the CVE full number, so I guess this checks out with what's implemented in this patch, so

I think you could also interpret it outside of the scope security
vulnerabilities. If a pedigree resolve something like a JIRA ticket for
instance. The `id` is the ID of the ticket on JIRA while the name is the title
probably ? That is how I interpret it at least.

PERALE Thomas
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot