Comments (4)
What is needed is a dedicated tool for BOM merging. Adding this capability into every CycloneDX implementation would be a lot of work and re-creating the wheel. But I agree, a dedicated tool that has this functionality is needed.
Since Javascript is typically used alongside other tech stacks, the CycloneDX Node module has an optional parameter (-a) which allows you to specify additional BOMs to append to the one you're creating.
So, the workflow would be to first create the .NET BOM, then create the Node BOM but specify the .NET BOM as an additional BOM to merge in. This functionality exists today. However, it will not deduplicate, ensure unique bom-refs, or account for schema extensions. So, by using this feature, it's possible to create a BOM that doesn't validate and will be stripped of extensions (if you use them). Because of this, its typically ok to merge in two or more BOMs from different ecosystems, but merging in BOMs from the same ecosystem (e.g. two NPM BOMs) will likely result in an invalid BOM.
Merging BOMs can be a bit complex, which is why a dedicated tool is necessary. But go ahead and give the above workflow a try. It may work in your case. I personally use it with a Java stack all the time and it works fine.
from cyclonedx-dotnet.
@stevespringett Thanks for the reply. I have successfully installed the Node-module version and have run that and merged the output of the dotNet tool - very good, thank you.
I am just getting started with producing SBOMs automatically so it is good to know that I might face some challenges later on with duplicates et.c. I look forward to the dedicated tool.
from cyclonedx-dotnet.
Since Javascript is typically used alongside other tech stacks, the CycloneDX Node module has an optional parameter (-a) which allows you to specify additional BOMs to append to the one you're creating.
About this , there is no more such functionality for appending two BOMs right @stevespringett ?
from cyclonedx-dotnet.
@akshaydeodare The CycloneDX CLI has this ability built-in and is the recommended method of merging, given the complexity involved.
from cyclonedx-dotnet.
Related Issues (20)
- Floating versions not supported since version 3.0.0 HOT 4
- Metadata timestamp not being tested HOT 3
- Metadata timestamp not being tested
- Possible Bug: Metadata CycloneDX-version is taken over as SBOM version HOT 1
- Arguments setName/-Version/-Type should override Metadata
- SBOM for Unity-project created without any components HOT 6
- Issue with Project References during sln analysis HOT 2
- Crash when using -rs with referenced project that has multiple target frameworks HOT 4
- "Unable to locate valid bom ref" when AssemblyName is != project name in referenced project HOT 15
- BOM should include Framework Components HOT 5
- File Globbing ProjectReferences not supported HOT 3
- dotnet CycloneDX Use these two parameters: --exclude-test-projects --exclude-dev why doesn't it work? I want to delete the name in the box HOT 4
- Set additional properties when generating sbom for nugets HOT 3
- Scope property is always being set to required HOT 4
- Utilize package mapping to source additional information HOT 1
- Exclude developer dependencies is not reflecting real runtime dependencies HOT 2
- Support providing a solution filter HOT 5
- System.UnauthorizedAccessException thrown if .csproj file is read-only HOT 3
- Inconsistent Timestamp Representation in XML and JSON BOM Files HOT 3
- CycloneDX should fail when the provided project file was not found HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cyclonedx-dotnet.