How could a CycloneDX SBOM look like for SLUL components?
=========================================================

It would be nice if the compiler could automatically generate SBOMs when
it builds artifacts.

Of course, the compiler might not know everything. In particular, it
doesn't know "soft" details such as whether a software is in the design
phase or not (but on the other hand, that information could very well
be added as some attribute in the source code, that the compiler can
read and use in the SBOM).

Problem with interfaces vs full runtime dependencies
----------------------------------------------------

SLUL can build an artifact without having the (full) dependencies.
Transitive dependencies are never needed for (dynamic) builds.
How to represent this in CycloneDX?

Maybe interfaces should have a separate name, with `__interface`
appended? This could then even have hashes etc.

Maybe this could be solved by having two types of SBOMs:

* `build` SBOMs with build-dependencies.
  Generated by the compiler.
* `post-build` (or `operations`) SBOMs with runtime-dependencies.
  Generated by the dynamic loader / runtime loader.


Attributes
----------

`lifecycles` -> `phase`:
  - `design`
    for libraries that doens't have any stable API?
    and for applications that don't have a version?
    or just anything without a version?
  - `pre-build`
    perhaps when depending on any component without a stable API? which
    would have to be vendored, so the build is incomplete without it.
  - `build`
    in the normal case?

`tools` -> `components`
    - should include the compiler (the BOM generator)

`component`
    - the main component.
    - libraries can have the interface as a separate sub-component
      via the `component` -> `components` field.

`licenses`
    - this is the license of the BOM itself.
    - should probably be omitted.
    - the compiler cannot really know this.

`properties`
    - can contain custom properties
    - maybe any compiler options specific to SBOM should be included here?

`components`
    - list of components, can be used in dependency declarations.

`services`
    - list of services, can be used in dependency declarations.
    - note that a dependency declaration can specifiy "provides" also
      (but it is still a dependency!)
    - this can contain intra-process services also.

`dependencies`
    - can have provides, perhaps for API hashes / interfaces in case of SLUL

`compositions`
    - don't understand this one really.
    - it can specify a set of components in `assemblies` and `dependencies`
    - it can be `complete` or various forms of `incomplete`

`formulation`
    - how the *component* (not SBOM) was produced.
    - can contain components, services, properties, etc.
    - maybe the compiler command line (minus filesystem paths) could be
      included here? excluding anything specific to SBOM generation.

`standards`
    - perhaps SLUL could have some (custom) "standards" for applications
      that do not have unrestricted access to system stuff?
      i.e. sandboxed applications.

<component> -> `type`:
  - `application`
    for applications (i.e. that implement a service and declare `entry`s)
  - `library`
    for libraries (including libraries written in other languages,
    such as the RTL)
  - `framework`
    for service loaders
  - `platform`
    for the dynamic loader (note that this is only a dependency for
    the applications and/or services (think about this))
  - `container`
    not used in the current design, but could be a nice extension, e.g.
    for full distributions of applications including libraries and
    frameworks.
  - `file`
    not yet used in the current design, but might be necessary for
    things like resources.

<component> -> (`supplier`, `manufacturer`, `authors`,
`publisher`, `group`, `copyright`):
    - these cannot be provided by the compiler. *Maybe* `authors` could
      be extracted from copyright lines, though?
      (But there's also `copyright` for that)

<component> -> `name`:
    - module name

<component> -> `version`:
    - module version

<component> -> `scope`:
    - `required` (default)
    - `optional`
      double check what is meant by this. But it sounds like it couldn't
      occur in case of SLUL.

<component> -> `hashes`:
    - what is being hashed here? the input source, or the output execuable?

<component> -> `licenses`:
    - should probably have an attribute in the module source code.
    - this uses SPDX licenses/expressions.

<component> -> `cpe`:
    - identity of component using CPE
    - `purl` is the recommended option for F/OSS components.
    - cannot be provided by compiler, maybe via some custom attribute
      in the source code though?

<component> -> `purl`:
    - identity of component using package-url
    - cannot be provided by compiler, maybe via some custom attribute
      in the source code though?
    - a package type should perhaps be merged to use this.
        - there's also a `generic` type, e.g. for VCS URLs.
    - the syntax is for example `pkg:pkgtype/namespace/name@ver?quals#subpath`
    - `namespace` is optional, but it would be nice to have some namespacing
      supporting here. It *could* be the API hash, but it might be
      unconventional, since it changes with new versions.
    - If interfaces are considered as separate components, then the `ver`
      could specify the API hash perhaps? BUT I think `ver` needs to come
      in numeric order... So perhap `quals` is a better place to put the
      API hash.
    - `quals` is for e.g. CPU, OS, etc. Could be relevant for non-SLUL
      components perhaps. E.g. `arch=x86_64-linux-gnu` or even
      `cpu=x86_64&os=linux&libc=gnu`. Or maybe `indep=something_v1` for some
      architecture-independent format.
    - Debian additionally has `arch=source`
    - `quals` can also be a VCS or package URL. That's what CPAN does here. 
    - `subpath` is type specific. Could perhaps be used for distinguishing
      from different ways to invoke (or not automatically invoke) the
      platform (i.e. the dynamic loader / runtime loader).
      E.g. `#slul-elf-interp-v1`

<component> -> `omniborId`:
    - some kind of identifier-URI again
    - can have GIT commit IDs, tags, etc.


<component> -> (`swhid`, `swid`):
    - two more (unrelated! but similarly named) identifier-URIs again.

<component> -> `pedigree`:
    - how a component was forked/patched/etc.
    - the compiler cannot determine this.

<component> -> (`externalReferences`, `releaseNotes`, `tags`):
    - the compiler cannot determine this.

<component> -> `components`:
    - parts of a component.
    - maybe the interface of a library could be a component?
    - each element is a nested component.

<component> -> `evidence`:
    - `identity` -> `methods` 
      could have `source-code-analysis` with confidence 1 (100%) for
      e.g. hashed interface definitions. Or `ast-fingerprint` perhaps.

<component> -> `modelCard`:
    - not applicable
    - relevant to machine-learning models only

<component> -> `cryptoProperties`:
    - when is this applicable? for embedded keys/hashes?

<component> -> `properties`:
    - can contain custom data. maybe API hashes for SLUL

<component> -> `signature`:
    - this is probably better produced by some other tool?


Services
--------

Should "services" (in CycloneDX terminology) be used for something?
But there's no much information to specify for intra-process services here.
It seems to be mostly intended for external services.

<service> -> `x-trust-boundary`
    - could probably be `false` for all intra-process stuff?

<service> -> `properties`
    - custom properties