interlynk-io / sbomex Goto Github PK
View Code? Open in Web Editor NEWFind & pull public SBOMs
Home Page: https://sbombenchmark.dev/
License: Other
Find & pull public SBOMs
Home Page: https://sbombenchmark.dev/
License: Other
As discussed, we should remove filter flag from fetch command.
The error message is always "invalid spec." It should be called out specifically.
Error messages:
Example of better error handling below -
sbomqs score ~/Downloads/09-07-2022.csv --reportFormat basic2
Error: report format options are basic or detailed
Usage:
sbomqs score [flags]
Flags:
--category string scoring category
--dirpath string sbom dir path
--filepath string sbom file path
-h, --help help for score
--reportFormat string reporting format basic/detailed/json
Need to provide sbomqs as a container, and hosted on ghcr. This should ease integration.
Document these steps in the README
build/sbomex fetch --help
finds SBOM in the repository that matches the filtering criteria
Usage:
sbomex search [flags]
Flags:
--format string SBOM format options json/xml/tv
-h, --help help for search
--limit int max number of search results to print (default 25)
--spec string SBOM Specification options spdx/cdx
--tool string SBOM creator tool name (e.g. syft, trivy, bom)
build/sbomex fetch --help
downloads specified SBOM from the repository and prints to the screen
Usage:
sbomex fetch [flags]
Flags:
[Remove this one for now] --filter string Filter SBOM based on conditions provided
-h, --help help for fetch
--id int Fetch SBOM based on the input Id
Add support to download latest sbom db.
Since we are using sqlite db, they makefile should change CGO_ENABLED=1.
[Text marked in bold below must be added to the help]
Text:
sbomex help
SBOM Explorer (sbomex) is a command line utility to help query and fetch Interlynk's public SBOM repository. The tool is intended to help familiarize with the specifications and formats of common SBOM standards and the quality of produced SBOMs (See sbomqs). The underlying repository is updated periodically with SBOMs from a variety of sources built with many tools
Usage:
sbomex [command]
Available Commands:
completion Generate the autocompletion script for the specified shell
fetch downloads specified SBOM from the repository and prints to the screen
help Help about any command
search finds SBOM in the repository that matches the filtering criteria
Flags:
-h, --help help for sbomex
-t, --toggle Help message for toggle
Use "sbomex [command] --help" for more information about a command.
Appreciate this is more of a problem with the upstream tool, but I wanted to flag the data quality aspect here.
Here's an example of a Debian SBOM created using bom-v0.4.1:
sbomex pull --id 442
This contains references like:
pkg:deb/debian/[email protected]?arch=s390x
From the purl spec:
There is no default package repository: this should be implied either from the distro qualifiers key or using a base url as a repository_url qualifiers key.
Basically the purl is incomplete. Without the distro information the purl here is ambiguous. I'd argue based on the spec it's technically an invalid purl, but the spec as written is a bit hard to parse. But whether or not it's invalid, it's not specific without the distro information.
./build/sbomex fetch
command downloads a file and prints it to the screen, this should not happen. We should only download a file, when --id is provided.
sbomex search command should support --name flag. User should be able to pass name as a pattern e.g
sbomex search --name '%cen%'
sbomex search --name '%box%'
@surendrapathak we need to update the README.
Change the fetch command to pull command to match related services. Here are the changes:
build/sbomex --help
....
fetch Downloads specified SBOM from the repository and prints to the screen
pull Pulls specified SBOM from the repository and prints to the screen
build/sbomex pull --help
Usage:
sbomex pull [flags]
Flags:
[Remove this one for now] --filter string Filter SBOM based on conditions provided
-h, --help help for pull
--id int Pull SBOM based on the input Id
Please consider adding a Linux arm64 release.
Please check input validations for --id fields.
./sbomex fetch --id -1
./sbomex fetch --id 12312312312321
all return bad data.
Refer to sbomqs and add goreleaser workflow.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.