vmware-samples / sbom-composer Goto Github PK
View Code? Open in Web Editor NEWA tool that takes two or more micro SBOMs and composes them into one distributable SBOM
License: BSD 2-Clause "Simplified" License
A tool that takes two or more micro SBOMs and composes them into one distributable SBOM
License: BSD 2-Clause "Simplified" License
Currently the tool generates 2.2 SPDX. The tools-golang parser is already updated to 2.3, so we can update as well.
Add multi-version support, as 2.2 is ISO approved.
Currently the SBOM composer parses only SPDX SBOMs. For a more complete data it would be great to be able to compose CDX as well.
Easiest approach would be to use a CDX to SPDX convert tool, in order to not depend on both parsers.
As a longer term, we might reconsider adopting a CDX parser as well and allowing CDX as an output if there would be such requirement.
A directory sbom-composer
containing two files AAA.spdx
and BBB.spdx
.
Files are attached (suffix .txt
added to be able to upload on github).
compose -c ~/git/sbom-composer/config/example_config.yaml -d test-sbom-composer -s test-sbom-composer.spdx
File test-sbom-composer.spdx
is not valid SPDX.
The following warning(s) were raised: [Invalid element reference in relationship: SPDXRef-top-level-artifact-1.0 at line number 47, Invalid element reference in relationship: SPDXRef-top-level-artifact-1.0 at line number 48, Package at line 34 invalid: Missing required package files for top-level-artifact, Missing required license information from files for top-level-artifact, Missing required package files for top-level-artifact]
Not really a functionality bug :) but after cloning the repo, I noticed that the filename for 'MAINTAINERS.md' appears to have an extra whitespace character at the end of the filename. This doesn't really show up in GitHub, but it should be visible when looking at the repo contents in a terminal locally.
A proposal by @puerco.
Currently the sbom-composer adds all packages from micro SBOMs to the final document.
We would like to support something like:
compose --exclude-package <package_name>
or via the config.yaml
:
excludedPackages:
- package1
- package2
...
What other elements should be allowed for filtering?
When working with spdx file provided by https://github.com/kubernetes-sigs/bom, I have this error. Removing the checksum fixes it but it would be better to not need manual intervention on the files.
Example file:
b.spdx.txt
The tools-golang parser's methods refer to specific SPDX spec versions. Make sure to abstract and minimise their use for easier support of spec updates.
This is not a real bug, but I do not like the name "compose" for the executable as there is already a Unix command "compose".
I would prefer something like "sbom-compose".
man compose
RUN-MAILCAP(1) Run Mailcap Programs RUN-MAILCAP(1)
NAME
run-mailcap, view, see, edit, compose, print - execute programs via entries in the mailcap file
SYNOPSIS
run-mailcap --action=ACTION [--option[=value]] [MIME-TYPE:[ENCODING:]]FILE [...]
The see, edit, compose and print versions are just aliases that default to the view, edit, compose, and print actions (reβ
spectively).
Verify if all the config fields are properly loaded and used.
Make a list of what else should be moved to config.
A directory sbom-composer
containing two files AAA.spdx
and BBB.spdx
.
Files are attached (suffix .txt
added to be able to upload on github).
Running the compose command inside the directory:
cd test-sbom-composer
compose -c ~/git/sbom-composer/config/example_config.yaml -d test-sbom-composer -s test-sbom-composer.spdx
..generating composed SPDX document from directory: test-sbom-composer
...using config: /home/vargenau/git/sbom-composer/config/example_config.yaml
error while building spdx document reference for path test-sbom-composer with config top-level-artifact, &{https://spdx.org/spdxdocs/ Tool sbom-composer-1.0 [] map[]}: lstat test-sbom-composer: no such file or directory
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x88 pc=0x5c67db]
goroutine 1 [running]:
github.com/vmware-samples/sbom-composer/parser.Build({0x7ffdb2826764, 0x12}, 0xc0000ba000)
/home/vargenau/go/pkg/mod/github.com/vmware-samples/sbom-composer/[email protected]/build.go:18 +0x15b
github.com/vmware-samples/sbom-composer/parser.GenerateComposedDoc({0x7ffdb2826764, 0x12}, {0x7ffdb282677a, 0x17}, {0x61b9ad, 0x2}, {0x7ffdb2826725?, 0x0?})
/home/vargenau/go/pkg/mod/github.com/vmware-samples/sbom-composer/[email protected]/build.go:34 +0x73
main.runSBOMCompose(0x79c1a0?, {0x61bc54?, 0x6?, 0x6?})
/home/vargenau/git/sbom-composer/cli/sbom_compose.go:60 +0x171
github.com/spf13/cobra.(*Command).execute(0x79c1a0, {0xc000012080, 0x6, 0x6})
/home/vargenau/go/pkg/mod/github.com/spf13/[email protected]/command.go:872 +0x694
github.com/spf13/cobra.(*Command).ExecuteC(0x79c1a0)
/home/vargenau/go/pkg/mod/github.com/spf13/[email protected]/command.go:990 +0x3b4
github.com/spf13/cobra.(*Command).Execute(...)
/home/vargenau/go/pkg/mod/github.com/spf13/[email protected]/command.go:918
main.main()
/home/vargenau/git/sbom-composer/cli/sbom_compose.go:67 +0x25
When config file is not found, the program should stop with an error message and not create an invalid SPDX file.
compose -d NSP-22-9-test1 -s NSP-22-9-test1.spdx
...generating composed SPDX document from directory: NSP-22-9-test1
...using config: config.yaml
failed reading yaml file
open config.yaml: no such file or directory
...document saved to NSP-22-9-test1.spdx in "tv" format
Examples of invalid SPDX generated as it has no value for "packageName":
##### Package:
SPDXID: SPDXRef-Package-
##### Relationships
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package-
Relationship: SPDXRef-- DESCRIBES SPDXRef-NSP-22-9-test1-
Relationship: SPDXRef-- DESCRIBES SPDXRef-analytics-action-processor-app-22-9-0-rel-image-
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google β€οΈ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.