Open
Description
SBoM generation tools (like cdxgen) might encounter artifacts already built along with source code and package manager manifests. In such cases, indicating the lifecycle phases associated with the given component(s) or their parent component(s) would be nice.
In 1.5, lifecycles can be an array of values or name-description objects. Similar to component evidence, lifecycles could optionally accept bom-link, bom-ref, purl, and cpe to make it granular. In addition, we can also add evidencemethods so that the generator can justify how and why it thinks the components or the bom belong to a particular phase. Understanding the tool's assumptions is useful since the definition of build and post-build differs based on the organization and team.