To make it easier for scanners to detect out of date and vulnerable dependencies. It also avoids inadvertently reinventing a SBOM format as seen in here.
CDX has been decided as the format we go with in T361943: Decide on a Software Bill of Materials (SBOM) format for MediaWiki
Overview of the spec: https://cyclonedx.org/specification/overview/
Examples of cdx files: https://cyclonedx.org/use-cases/
According to the spec the name of the file should be either bom.json or *.cdx.json. I prefer foreign-resources.cdx.json to make it clear it's CDX.
List of WMF-deployed repos with foreign resources files:
- core
- mediawiki/extensions/3D
- mediawiki/extensions/Citoid
- mediawiki/extensions/CodeEditor
- mediawiki/extensions/CodeMirror
- mediawiki/extensions/DiscussionTools
- mediawiki/extensions/EventLogging
- mediawiki/extensions/Graph
- mediawiki/extensions/GrowthExperiments
- mediawiki/extensions/ProofreadPage
- mediawiki/extensions/TimedMediaHandler
- mediawiki/extensions/VisualEditor
- mediawiki/extensions/WikiLambda
Non-WMF repos:
- samwilson/diagrams-extension