interlynk-io / sbomex Goto Github PK

As discussed, we should remove filter flag from fetch command.

The error message is always "invalid spec." It should be called out specifically.

Error messages:

1. spec options are spdx or cdx
2. format options are xml , json or tv (for tag-value)

Example of better error handling below -

1. Shows the error string
2. Prints help message

sbomqs score ~/Downloads/09-07-2022.csv --reportFormat basic2
Error: report format options are basic or detailed
Usage:
  sbomqs score [flags]

Flags:
      --category string       scoring category
      --dirpath string        sbom dir path
      --filepath string       sbom file path
  -h, --help                  help for score
      --reportFormat string   reporting format basic/detailed/json

Need to provide sbomqs as a container, and hosted on ghcr. This should ease integration.

Document these steps in the README

build/sbomex fetch --help
finds SBOM in the repository that matches the filtering criteria

Usage:
sbomex search [flags]

Flags:
--format string SBOM format options json/xml/tv
-h, --help help for search
--limit int max number of search results to print (default 25)
--spec string SBOM Specification options spdx/cdx
--tool string SBOM creator tool name (e.g. syft, trivy, bom)

build/sbomex fetch --help

downloads specified SBOM from the repository and prints to the screen

Usage:
sbomex fetch [flags]

Flags:
[Remove this one for now] --filter string Filter SBOM based on conditions provided
-h, --help help for fetch
--id int Fetch SBOM based on the input Id

Add support to download latest sbom db.

• Check if .interlynk-io/sbomex/sqlite3.db exists
• NOT then create all directories
• Download latest file from github-repo, decide latest file logic
• Download file and save to 1
• Open DB

Since we are using sqlite db, they makefile should change CGO_ENABLED=1.

[Text marked in bold below must be added to the help]

Text:
sbomex help

SBOM Explorer (sbomex) is a command line utility to help query and fetch Interlynk's public SBOM repository. The tool is intended to help familiarize with the specifications and formats of common SBOM standards and the quality of produced SBOMs (See sbomqs). The underlying repository is updated periodically with SBOMs from a variety of sources built with many tools

Usage:
sbomex [command]

Available Commands:
completion Generate the autocompletion script for the specified shell
fetch downloads specified SBOM from the repository and prints to the screen
help Help about any command
search finds SBOM in the repository that matches the filtering criteria

Flags:
-h, --help help for sbomex
-t, --toggle Help message for toggle

Use "sbomex [command] --help" for more information about a command.

Appreciate this is more of a problem with the upstream tool, but I wanted to flag the data quality aspect here.

Here's an example of a Debian SBOM created using bom-v0.4.1:

sbomex pull --id 442

This contains references like:

pkg:deb/debian/[email protected]?arch=s390x

From the purl spec:

There is no default package repository: this should be implied either from the distro qualifiers key or using a base url as a repository_url qualifiers key.

Basically the purl is incomplete. Without the distro information the purl here is ambiguous. I'd argue based on the spec it's technically an invalid purl, but the spec as written is a bit hard to parse. But whether or not it's invalid, it's not specific without the distro information.

./build/sbomex fetch

command downloads a file and prints it to the screen, this should not happen. We should only download a file, when --id is provided.

sbomex search command should support --name flag. User should be able to pass name as a pattern e.g

sbomex search --name '%cen%'
sbomex search --name '%box%'

@surendrapathak we need to update the README.

It needs to match version details (sbomqs example attached) -

Change the fetch command to pull command to match related services. Here are the changes:

1. command name in the help and description changed as follows

build/sbomex --help

....
fetch Downloads specified SBOM from the repository and prints to the screen
pull Pulls specified SBOM from the repository and prints to the screen

2. build/sbomex pull --help
   Pulls specified SBOM from the repository and prints to the screen

Usage:
sbomex pull [flags]

Flags:
[Remove this one for now] --filter string Filter SBOM based on conditions provided
-h, --help help for pull
--id int Pull SBOM based on the input Id

3. Update README.md - @surendrapathak is on this.

Please consider adding a Linux arm64 release.

Please check input validations for --id fields.

./sbomex fetch --id -1
./sbomex fetch --id 12312312312321

all return bad data.

Refer to sbomqs and add goreleaser workflow.