[FEATURE]: Reference Transparency Exchange API Collection

[ppkarwasz]

Describe the feature

Since the TEA Collection provides a versioned and mutable set of external references related to a given CycloneDX Component (more precisely a TEA Component), it would be useful to reference it from an SBOM document.

SBOM documents are inherently immutable and the only possible sources of mutability are:

• changes in the end-of-support policies (see [FEATURE]: Add external reference type for support policy/lifecycle metadata #591).
• changes in VDR-s/VEX-es and other security-related documents (TEA Artifacts).

While in version 1.6 of CycloneDX we can already include external reference of type threat-model, vulnerability-assertion, exploitability-statement and so on, these URLs must necessarily point to the "live/current" version of those documents and there is no audit trail of their modifications.

The TEA Collection object solves that problem.

Possible solutions

The easiest solution would be to add a tea-collection or tea-component external reference type that points to the appropriate OpenAPI endpoint on a TEA Server.

Alternatives

An alternative solution would be to add tea-component as first class property of the CycloneDX Component element, since a TEA Collection can replace many external references at the same time.

Note: In the future it should be possible to infer the location of the TEA Server from a component's purl or other property. However, the current auto-discovery protocol does not provide such a possibility.

[jkowalleck]

@ppkarwasz could you create a pullrequest with the solution you have in mind?
the pullrequest should target the branch "1.7-dev" https://github.com/CycloneDX/specification/tree/1.7-dev

you can fork this very repo, create a branch for your feature and work in there 👍

[ppkarwasz]

I’ve already opened PR #634 to address this, but I’m holding off on finalizing it until some ongoing discussions in the TEA working group are resolved.

The core issue we’re trying to clarify is what kind of URI should be used for external SBOM references:

• Pointing directly to a TEA server’s /collection endpoint could be fragile — if the server moves or changes structure, the link may break.
• Using TEI identifiers instead would be more stable and persistent, but this approach requires users to search through potentially many TEA Components and versions to locate the exact TEA Collection relevant to the SBOM.

We’re currently discussing related topics in the TEA group that should help settle this. Until there’s more clarity, I’ll keep the PR in draft state.

[stevespringett]

Moving to 2.0