Extend or adjust schema based on CNSS feedback

[eddie-knight]

Several suggestions have arisen, through discussions had by the Cloud Native Security Slam metrics committee. The committee is formed of security-minded open source maintainers and informed by CNCF's TAG Security recommendations, with the goal of increasing the security hygiene for CNCF projects.

Each of these suggestions relate to metrics we will be evaluating during the upcoming Slam in October and November. If we are able to implement these suggestions to the schema, the committee believes that it will benefit the community to include Security Insights as a requirement for participating projects to streamline evaluation during the event.

I will be raising discussion on slack, and I'll use this GitHub Issue to keep track of suggestions as I create additional issues with suggestions. Please let me know if I can answer any questions about the overall intent behind these suggestions.

• Change value "sbom-name" to "sbom-format" #25
• Extend the SBOM schema #27
• Extend the dependency schema #28
• Add release and provenance values to schema #29
• Extend the Security Artifacts schema #30

[luigigubello]

Hi @eddie-knight thanks for the detailed issue 🙌

Several suggestions have arisen, through discussions had by the Cloud Native Security Slam metrics committee

🥳

• Change value "sbom-name" to "sbom-format" #25: it sounds good to me, I can open a PR this week or you can open a PR and add me as reviewer :)
• Extend the SBOM schema #27: I have answered in the issue
• Extend the dependency schema #28: I have answered [1 - 2] in the issue
• Add release and provenance values to schema #29: I have answered in the issue :)
• Extend the Security Artifacts schema #30: I have answered in the issue
• Refine the versioning process #31: I have also answered into issue#31, honestly I think it is an important issue and we should prioritize it.

I will start to prepare changes and draft PRs this week 🙌 (I hope)