Extend the SBOM schema

[eddie-knight]

This issue is part of #26.

Currently, the SBOM example is:

  sbom:
  - sbom-file: https://foo.bar/sbom
    sbom-name: CycloneDX
    sbom-url: https://foo.bar

In addition to the suggestion contained within #25, it may be prudent to add the following values to the SBOM schema:

• sbom-creation: | Lorum Ipsum...
  • Description of how the SBOM is created (it is expected that the SBOM is automatically generated upon every release, but the 2022 Cloud Native Security Slam showed us that projects often cut corners by manually generating their SBOMs)
• sbom-generated: DATETIME
  • Allowing end users to automatically compare the release date to the SBOM generation date can increase trust in the information. This suggestion is debatable, especially considering that the previous value solves a similar need.

[luigigubello]

I like the proposed key sbom-creation but I don't know if the name is the best one, even if we can define the goal of the key in schema.yaml. Do you have any other suggestions for the name of this key?

About sbom-generated, I totally agree with your comment:

"This suggestion is debatable, especially considering that the previous value solves a similar need."

A good point to deprecate datetime, whenever possible, is that it is time-consuming to keep it updated. Every time maintainers update the SBOM, they need to update SECURITY-INSIGHTS, so I am not sure if it is a good idea, but this is not a strong opinion, just an old - and recurrent - discussion about datetime in this kind of spec.