Is there any filed for commit id?

[robberphex]

We want to use CycloneDX sbom to trace where the artficate from.

We noticed that there is externalReferences with name vcs could specify git repo.
But there is no name for specify git commit id.

Could CycloneDX introduce a name for git commit id?

Here is an example from spring-boot.

    {
      "type" : "library",
      "bom-ref" : "pkg:maven/org.springframework.boot/[email protected]?type=jar",
      "publisher" : "VMware, Inc.",
      "group" : "org.springframework.boot",
      "name" : "spring-boot",
      "version" : "3.5.4",
      "description" : "Spring Boot",
      "scope" : "required",
      "licenses" : [
        {
          "license" : {
            "id" : "Apache-2.0"
          }
        }
      ],
      "purl" : "pkg:maven/org.springframework.boot/[email protected]?type=jar",
      "externalReferences" : [
        {
          "type" : "website",
          "url" : "https://spring.io/projects/spring-boot"
        },
        {
          "type" : "issue-tracker",
          "url" : "https://github.com/spring-projects/spring-boot/issues"
        },
        {
          "type" : "vcs",
          "url" : "https://github.com/spring-projects/spring-boot"
        }
      ]
    }

[jkowalleck]

git is just one of many VCS.
CycloneDX has the capability to communicate a component's "version".

Could you elaborate on the purpose of expressing a certain git node ID?

[robberphex]

In extreme cases, version is unstable in the code base, such as tag could be deleted, changed.
And in some project, there is no tag, and version is always 1.0.0-SNAPSHOT. The developers just deploy code at release branch.

Of course, those are anti-pattern.
But in those cases, record git commit id (or other commit id), is more traceable, reproducible.