Feature Request: new ComponentType "runtime"

[dcentrica]

At as v1.4 the only values accepted by components.type are as follows:

• "application"
• "framework"
• "library"
• "container"
• "operating-system"
• "device"
• "firmware"
• "file"

Having reviewed the definitions of each, none fits the bill to describe an application's runtime e.g. "JVM", "Python", "php-fpm" etc. These are programming language runtimes, and not "frameworks" or "libraries".

My suggestion is to add a new components.type of "runtime".

[stevespringett]

CycloneDX v1.5 adds a few more component type. One of the new types is platform which is defined as

A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms

[jkowalleck]

JVM interprets byte code.
Python and php-fpm interprets (script) code.

PS: nowadays, some are actually just-in-time compilers, not pure interpreters.

[jkowalleck]

@dcentrica what about using component.type value "platform" ?
We might adjust the documentation, to make clear that is serves the desired purpose. What would have helped you?

- A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.
+ A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or interpret code, or just-in-time compilers, or low-code/no-code application platforms.

[jkowalleck]

@stevespringett if we wanted to extend the docs and meaning of an enum, do we need to consult the @CycloneDX/industry-working-group ?

PS: got an answer offline: nope, not needed.

[jkowalleck]

see also

• [FEATURE]: Add additional component types for Manufacturing/Formulation/ML artifacts #563
• Change component type so that it's not required or add a new type of unassigned #466

[jkowalleck]

i am planning to dig deeper into this and prototype the need changes soon.

my short-sighted idea is to apply the changes from #233 (comment)

---

as of CDX 1.6 we have:

specification/schema/bom-1.6.schema.json

Lines 851 to 865 in d570ffb

	"meta:enum": {
	"application": "A software application. Refer to [https://en.wikipedia.org/wiki/Application_software](https://en.wikipedia.org/wiki/Application_software) for information about applications.",
	"framework": "A software framework. Refer to [https://en.wikipedia.org/wiki/Software_framework](https://en.wikipedia.org/wiki/Software_framework) for information on how frameworks vary slightly from libraries.",
	"library": "A software library. Refer to [https://en.wikipedia.org/wiki/Library_(computing)](https://en.wikipedia.org/wiki/Library_(computing)) for information about libraries. All third-party and open source reusable components will likely be a library. If the library also has key features of a framework, then it should be classified as a framework. If not, or is unknown, then specifying library is recommended.",
	"container": "A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through virtualization technology. Refer to [https://en.wikipedia.org/wiki/OS-level_virtualization](https://en.wikipedia.org/wiki/OS-level_virtualization).",
	"platform": "A runtime environment which interprets or executes software. This may include runtimes such as those that execute bytecode or low-code/no-code application platforms.",
	"operating-system": "A software operating system without regard to deployment model (i.e. installed on physical hardware, virtual machine, image, etc) Refer to [https://en.wikipedia.org/wiki/Operating_system](https://en.wikipedia.org/wiki/Operating_system).",
	"device": "A hardware device such as a processor or chip-set. A hardware device containing firmware SHOULD include a component for the physical hardware itself and another component of type 'firmware' or 'operating-system' (whichever is relevant), describing information about the software running on the device. See also the list of [known device properties](https://github.com/CycloneDX/cyclonedx-property-taxonomy/blob/main/cdx/device.md).",
	"device-driver": "A special type of software that operates or controls a particular type of device. Refer to [https://en.wikipedia.org/wiki/Device_driver](https://en.wikipedia.org/wiki/Device_driver).",
	"firmware": "A special type of software that provides low-level control over a device's hardware. Refer to [https://en.wikipedia.org/wiki/Firmware](https://en.wikipedia.org/wiki/Firmware).",
	"file": "A computer file. Refer to [https://en.wikipedia.org/wiki/Computer_file](https://en.wikipedia.org/wiki/Computer_file) for information about files.",
	"machine-learning-model": "A model based on training data that can make predictions or decisions without being explicitly programmed to do so.",
	"data": "A collection of discrete values that convey information.",
	"cryptographic-asset": "A cryptographic asset including algorithms, protocols, certificates, keys, tokens, and secrets."
	},