vmware-samples / sbom-composer Goto Github PK
View Code? Open in Web Editor NEWA tool that takes two or more micro SBOMs and composes them into one distributable SBOM
License: BSD 2-Clause "Simplified" License
sbom-composer's People
Contributors
Stargazers
Watchers
sbom-composer's Issues
Update to SPDX 2.3
Currently the tool generates 2.2 SPDX. The tools-golang parser is already updated to 2.3, so we can update as well.
Add multi-version support, as 2.2 is ISO approved.
Adopt CycloneDX
Currently the SBOM composer parses only SPDX SBOMs. For a more complete data it would be great to be able to compose CDX as well.
Easiest approach would be to use a CDX to SPDX convert tool, in order to not depend on both parsers.
As a longer term, we might reconsider adopting a CDX parser as well and allowing CDX as an output if there would be such requirement.
Invalid SPDX generated
A directory sbom-composer containing two files AAA.spdx and BBB.spdx.
Files are attached (suffix .txt added to be able to upload on github).
compose -c ~/git/sbom-composer/config/example_config.yaml -d test-sbom-composer -s test-sbom-composer.spdx
File test-sbom-composer.spdx is not valid SPDX.
The following warning(s) were raised: [Invalid element reference in relationship: SPDXRef-top-level-artifact-1.0 at line number 47, Invalid element reference in relationship: SPDXRef-top-level-artifact-1.0 at line number 48, Package at line 34 invalid: Missing required package files for top-level-artifact, Missing required license information from files for top-level-artifact, Missing required package files for top-level-artifact]
Stray space at end of filename for MAINTAINERS.md
Not really a functionality bug :) but after cloning the repo, I noticed that the filename for 'MAINTAINERS.md' appears to have an extra whitespace character at the end of the filename. This doesn't really show up in GitHub, but it should be visible when looking at the repo contents in a terminal locally.
Allow package filtering
A proposal by @puerco.
Currently the sbom-composer adds all packages from micro SBOMs to the final document.
We would like to support something like:
compose --exclude-package <package_name>
or via the config.yaml:
excludedPackages:
- package1
- package2
...
What other elements should be allowed for filtering?
- Packages are the bare minimum
- If a package is excluded from the composed doc, all elements it's related to should be excluded as well
- Others?
got unknown checksum type SHA512
When working with spdx file provided by https://github.com/kubernetes-sigs/bom, I have this error. Removing the checksum fixes it but it would be better to not need manual intervention on the files.
Example file:
b.spdx.txt
Minimize SPDX version references
The tools-golang parser's methods refer to specific SPDX spec versions. Make sure to abstract and minimise their use for easier support of spec updates.
"compose" is not optimal as name for the executable
This is not a real bug, but I do not like the name "compose" for the executable as there is already a Unix command "compose".
I would prefer something like "sbom-compose".
man compose
RUN-MAILCAP(1) Run Mailcap Programs RUN-MAILCAP(1)
NAME
run-mailcap, view, see, edit, compose, print - execute programs via entries in the mailcap file
SYNOPSIS
run-mailcap --action=ACTION [--option[=value]] [MIME-TYPE:[ENCODING:]]FILE [...]
The see, edit, compose and print versions are just aliases that default to the view, edit, compose, and print actions (reβ
spectively).
Update configuration support
Verify if all the config fields are properly loaded and used.
Make a list of what else should be moved to config.
Running the compose command inside the directory gives segmentation violation
A directory sbom-composer containing two files AAA.spdx and BBB.spdx.
Files are attached (suffix .txt added to be able to upload on github).
Running the compose command inside the directory:
cd test-sbom-composer
compose -c ~/git/sbom-composer/config/example_config.yaml -d test-sbom-composer -s test-sbom-composer.spdx
..generating composed SPDX document from directory: test-sbom-composer
...using config: /home/vargenau/git/sbom-composer/config/example_config.yaml
error while building spdx document reference for path test-sbom-composer with config top-level-artifact, &{https://spdx.org/spdxdocs/ Tool sbom-composer-1.0 [] map[]}: lstat test-sbom-composer: no such file or directory
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x88 pc=0x5c67db]
goroutine 1 [running]:
github.com/vmware-samples/sbom-composer/parser.Build({0x7ffdb2826764, 0x12}, 0xc0000ba000)
/home/vargenau/go/pkg/mod/github.com/vmware-samples/sbom-composer/[email protected]/build.go:18 +0x15b
github.com/vmware-samples/sbom-composer/parser.GenerateComposedDoc({0x7ffdb2826764, 0x12}, {0x7ffdb282677a, 0x17}, {0x61b9ad, 0x2}, {0x7ffdb2826725?, 0x0?})
/home/vargenau/go/pkg/mod/github.com/vmware-samples/sbom-composer/[email protected]/build.go:34 +0x73
main.runSBOMCompose(0x79c1a0?, {0x61bc54?, 0x6?, 0x6?})
/home/vargenau/git/sbom-composer/cli/sbom_compose.go:60 +0x171
github.com/spf13/cobra.(*Command).execute(0x79c1a0, {0xc000012080, 0x6, 0x6})
/home/vargenau/go/pkg/mod/github.com/spf13/[email protected]/command.go:872 +0x694
github.com/spf13/cobra.(*Command).ExecuteC(0x79c1a0)
/home/vargenau/go/pkg/mod/github.com/spf13/[email protected]/command.go:990 +0x3b4
github.com/spf13/cobra.(*Command).Execute(...)
/home/vargenau/go/pkg/mod/github.com/spf13/[email protected]/command.go:918
main.main()
/home/vargenau/git/sbom-composer/cli/sbom_compose.go:67 +0x25
Invalid SPDX generated when config file is not found
When config file is not found, the program should stop with an error message and not create an invalid SPDX file.
compose -d NSP-22-9-test1 -s NSP-22-9-test1.spdx
...generating composed SPDX document from directory: NSP-22-9-test1
...using config: config.yaml
failed reading yaml file
open config.yaml: no such file or directory
...document saved to NSP-22-9-test1.spdx in "tv" format
Examples of invalid SPDX generated as it has no value for "packageName":
##### Package:
SPDXID: SPDXRef-Package-
##### Relationships
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-
Relationship: SPDXRef-- DESCRIBES SPDXRef-NSP-22-9-test1-
Relationship: SPDXRef-- DESCRIBES SPDXRef-analytics-action-processor-app-22-9-0-rel-image-
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.