Hermeto records patch provenance for patched dependencies in CycloneDX via pedigree patches, but that metadata is not carried over when the SBOM is converted to SPDX format, and the patch information is effectively dropped.
SPDX v2 specification defines a similar way to report patches as the externalRefs object. See spdx-spec/v2.3.
--
https://github.com/hermetoproject/integration-tests/tree/yarn/v4
Hermeto records patch provenance for patched dependencies in CycloneDX via pedigree patches, but that metadata is not carried over when the SBOM is converted to SPDX format, and the patch information is effectively dropped.
SPDX v2 specification defines a similar way to report patches as the
externalRefsobject. See spdx-spec/v2.3.--
https://github.com/hermetoproject/integration-tests/tree/yarn/v4