-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: Allow one sbom to be the primary document in assemble action #128
Comments
Another way to phrase this is the ability to do SBOM append. And add B to A. Where B is a dependency of A. |
I agree this also should be a mode of operation for the tool. Let me add this as a feature request, should not be that hard to implement. |
Adding discussion here for future reference:
So, my question is regarding how the strucutre of assembled SBOM-1 components looks like ? So, I have 2 options in my minds:
|
I would say that the first structure is what I hope to get. The reason is that 'most' of the time you will have a file SBOM-1 that has its own primary component. And then SBOM-2 and SBOM-3 are dependencies that SBOM-1 should have but the build tool that generates SBOM-1 could not represent them as they are not native integrations to the language of the build tool. But they are 100% dependencies of the product of SBOM-1. |
Yeah you can achieve this via one of the mode of assembling SBOM called See here to know more about different algorithm |
The component structure would be like this: all components of SBOM-1, SBOM-2, and SBOM-3, would be present serially or in flat manner. |
Hey @matglas , hope this looks as per your approach i.e first method. Now, check this, Where,
And
And
And the final o/p sbom
Files attached: |
Hi @viveksahu26 that is indeed what I was looking for. This is the way that I would want to represent it. There is one nuance which is more of an internal requirement. In your example |
Ohh, you mean the input SBOMs components to be present as a list in the final SBOM components section.
Something like this: https://gist.github.com/viveksahu26/51ea4129f216ba6a7726a90ee92cfaf8 |
I was already looking for the right wording indeed. The example that you created looses the relationship that https://gist.github.com/matglas/97aa2dcd7a79b8f0af9bff79cee3f757 |
Yeah, but the example |
What I notice is that its only possible to assemble while settings the primary tags or the config and this is a limitation.
What I am looking for is to provide the primary component and add all the other boms as dependencies. At this point you are required to use the config even if you would have a proper root component and want to add the extra components from the SBOMs.
If there would be a
--primary-component-file
flag that allows you to base your file on that and add the other boms.Interested to hear what others things about this process.
The text was updated successfully, but these errors were encountered: