From 7b873828e7307d4f49a136194cbd1d810f09c98b Mon Sep 17 00:00:00 2001 From: Agustin Isasmendi Date: Thu, 19 Mar 2026 13:09:46 +0100 Subject: [PATCH 1/2] feat(schema): add `acknowledgement` field to BOM operations --- scanoss-settings-schema.json | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/scanoss-settings-schema.json b/scanoss-settings-schema.json index bbdaa40..41647e5 100644 --- a/scanoss-settings-schema.json +++ b/scanoss-settings-schema.json @@ -288,6 +288,10 @@ "comment": { "type": "string", "description": "Additional notes or comments" + }, + "acknowledgement": { + "type": "string", + "description": "Formal acknowledgement of this BOM decision, propagated to SBOM output" } }, "uniqueItems": true, @@ -298,7 +302,8 @@ { "path": "src/lib/component.js", "purl": "pkg:npm/lodash@4.17.21", - "comment": "Full match: path + purl" + "comment": "Full match: path + purl", + "acknowledgement": "Confirmed: lodash 4.17.21 vendored under src/lib" }, { "purl": "pkg:npm/vue@2.6.12", @@ -329,6 +334,10 @@ "comment": { "type": "string", "description": "Additional notes or comments" + }, + "acknowledgement": { + "type": "string", + "description": "Formal acknowledgement of this BOM decision, propagated to SBOM output" } }, "anyOf": [ @@ -342,7 +351,8 @@ { "path": "src/main.c", "purl": "pkg:npm/vue@2.6.12", - "comment": "Full match: removes only this purl at this path" + "comment": "Full match: removes only this purl at this path", + "acknowledgement": "Reviewed and confirmed as original code, not third-party" }, { "purl": "pkg:npm/deprecated-pkg@1.0.0", @@ -378,6 +388,10 @@ "type": "string", "description": "Additional notes or comments" }, + "acknowledgement": { + "type": "string", + "description": "Formal acknowledgement of this BOM decision, propagated to SBOM output" + }, "license": { "type": "string", "description": "License of the replacement component. Should be a valid SPDX license expression (e.g. `MIT`, `Apache-2.0`, `GPL-3.0-only`).", @@ -402,7 +416,8 @@ "purl": "pkg:npm/old-lib@1.0.0", "replace_with": "pkg:npm/new-lib@2.0.0", "license": "MIT", - "comment": "Upgrade to newer version" + "comment": "Upgrade to newer version", + "acknowledgement": "Verified upstream project is the correct attribution" } ] ] From 2349f6fe88e3ca49129c375694f88879e73dc747 Mon Sep 17 00:00:00 2001 From: Agustin Isasmendi Date: Tue, 24 Mar 2026 16:25:19 +0100 Subject: [PATCH 2/2] feat(schema): add `organization` and `timestamp` fields to BOM schema --- scanoss-settings-schema.json | 32 +++++++++++++++++++++++++++++--- 1 file changed, 29 insertions(+), 3 deletions(-) diff --git a/scanoss-settings-schema.json b/scanoss-settings-schema.json index 41647e5..d78632c 100644 --- a/scanoss-settings-schema.json +++ b/scanoss-settings-schema.json @@ -18,6 +18,11 @@ "description": { "type": "string", "description": "Description of the project" + }, + "organization": { + "type": "string", + "description": "Name of the organization responsible for this project and its BOM decisions", + "examples": ["SCANOSS"] } } }, @@ -292,6 +297,12 @@ "acknowledgement": { "type": "string", "description": "Formal acknowledgement of this BOM decision, propagated to SBOM output" + }, + "timestamp": { + "type": "string", + "format": "date-time", + "description": "ISO 8601 UTC timestamp recording when this BOM decision was made", + "examples": ["2026-03-15T10:30:00Z"] } }, "uniqueItems": true, @@ -303,7 +314,8 @@ "path": "src/lib/component.js", "purl": "pkg:npm/lodash@4.17.21", "comment": "Full match: path + purl", - "acknowledgement": "Confirmed: lodash 4.17.21 vendored under src/lib" + "acknowledgement": "Confirmed: lodash 4.17.21 vendored under src/lib", + "timestamp": "2026-03-15T10:30:00Z" }, { "purl": "pkg:npm/vue@2.6.12", @@ -338,6 +350,12 @@ "acknowledgement": { "type": "string", "description": "Formal acknowledgement of this BOM decision, propagated to SBOM output" + }, + "timestamp": { + "type": "string", + "format": "date-time", + "description": "ISO 8601 UTC timestamp recording when this BOM decision was made", + "examples": ["2026-03-15T10:30:00Z"] } }, "anyOf": [ @@ -352,7 +370,8 @@ "path": "src/main.c", "purl": "pkg:npm/vue@2.6.12", "comment": "Full match: removes only this purl at this path", - "acknowledgement": "Reviewed and confirmed as original code, not third-party" + "acknowledgement": "Reviewed and confirmed as original code, not third-party", + "timestamp": "2026-03-15T10:30:00Z" }, { "purl": "pkg:npm/deprecated-pkg@1.0.0", @@ -392,6 +411,12 @@ "type": "string", "description": "Formal acknowledgement of this BOM decision, propagated to SBOM output" }, + "timestamp": { + "type": "string", + "format": "date-time", + "description": "ISO 8601 UTC timestamp recording when this BOM decision was made", + "examples": ["2026-03-15T10:30:00Z"] + }, "license": { "type": "string", "description": "License of the replacement component. Should be a valid SPDX license expression (e.g. `MIT`, `Apache-2.0`, `GPL-3.0-only`).", @@ -417,7 +442,8 @@ "replace_with": "pkg:npm/new-lib@2.0.0", "license": "MIT", "comment": "Upgrade to newer version", - "acknowledgement": "Verified upstream project is the correct attribution" + "acknowledgement": "Verified upstream project is the correct attribution", + "timestamp": "2026-03-15T10:30:00Z" } ] ]