How to reference a component 'external layer' belonging

[tperale]

Embedded Systems build-systems such as Buildroot, Yocto or OpenWRT all have their own definition of a an 'external layer':

• Buildroot has 'externals'
• OpenWRT has 'feeds'
• Yocto has 'layers'

These external layers act as extensions that group together packages (translated into components in the sbom) and build metadata.
Multiple 'external layers' are composed together to provide the different 'component' and build a final firmware. When generating a CycloneDX SBOMs of the final image we want to be able to reference which 'external layer' provided a component.

After reading multiple time the spec I don't see any property of the component that could fit this description.

What we would do usually is define the build system under the metadata property and the layer that compose it under the metadata:components property:

{
  "metadata": {
   "type": "firmware",
   "bom-ref": "buildroot",
    "name": "buildroot",
    "components": [
      {
        "type": "firmware",
        "bom-ref": "layer1",
        "name": "layer1",
      },
      {
        "type": "firmware",
        "bom-ref": "layer2",
        "name": "layer2",
      },
    ]
  }
 ...
}

What would be the proper way for a component to reference with a bom-link the layer that provided it ? I thought about supplier maybe but seems to fit more hardware stuff in general since we don't have any address to provide or maybe externalReferences but this would require an addition of a new type to suits the definiton of an 'external layer'.

[airtower-luna]

On note that may be important: The packages (components) from the external layer aren't necessarily packages developed by whoever is supplying the external layer. Of course they could be, but the external layer may simply package 3rd party software needed for the firmware, or as an in-between case custom patched versions of 3rd party software. Or a mix of all those.

The equivalent in traditional Linux distros would be to build a VM or container image and install things from additional (custom/3rd-party) package repositories.

[tperale]

This could maybe be defined with distribution-intake https://cyclonedx.org/docs/1.7/json/#components_items_externalReferences_items_type

The location where a component was published to. This is often the same as "distribution" but may also include specialized publishing processes that act as an intermediary.

...
"components": [
  {
    "bom-ref": "pkg:a"
    "name": "a",
   "externalReferences": [
     {
       "type": "distribution-intake",
       "url": "urn:cdx:<serial>/<number>#layer1"
     }
   ]
]
...

The distribution-intake definition could be extended or another externalReferences:type could be added to suit this use case better.