opensbom-generator / parsers Goto Github PK
View Code? Open in Web Editor NEWLanguage and ecosystem parsers
License: Apache License 2.0
Language and ecosystem parsers
License: Apache License 2.0
Assess the parser to ensure the data looks as expected
We should write a couple of conformance tests to ensure the parsers are following the design we want to apply to all of them. I will start dumping some thoughts about what I think should be important to capture in the conformance suite:
It looks like the github workflow requires installation of all the package managers and using package managers to build applications. Add installation of package managers (eg: yarn) and building of test package (yarn install in the right location).
Assess the parser to ensure the data looks as expected
Assess the parser to ensure the data looks as expected
Related issues:
#20
Is it possible to generate SBOM from vcpkg package manager?
Assess the parser to ensure the data looks as expected
The current npm JSON parser implements JSON reading using ioutil.ReadJson
which is deprecated. Plus, some considerations with package-json.lock
file is not supported.
See opensbom-generator/spdx-sbom-generator#252 and opensbom-generator/spdx-sbom-generator#242 for more details.
Assess the parser to ensure the data looks as expected
Assess the parser to ensure the data looks as expected
Right now there is no PR template for contributors, should we add that?
If yes, I will make a PR for this.
I think we should replace the command execution library with the command package
in kubernetes-sigs/release-utils
. That library is under constant maintenance and has more features and control.
➜ lsif-node git:(main) ✗ ./sbomgen -o . -f JSON
INFO[2023-08-27T14:53:17+08:00] Starting to generate SPDX ...
INFO[2023-08-27T14:53:18+08:00] Using npm, current Language Version 6.14.11
INFO[2023-08-27T14:53:18+08:00] Global Setting File path
INFO[2023-08-27T14:53:18+08:00] Parsing . for packages
FATA[2023-08-27T14:53:29+08:00] error creating SBOM, err: writing serialized document: json: error calling MarshalJSON for type *common.Supplier: failed to marshal invalid Supplier: {Supplier: SupplierType:Organization}
The process will break if either the SupplierType or Supplier field is empty.
Maybe we need some default values (both name and type) for avoiding this, not only assign a name. Like:
Line 115 in dda5564
Assess the parser to ensure the data looks as expected
Right now, the parsers try to make external network calls for fetching package data.
https://github.com/opensbom-generator/parsers/blob/main/nuget/helpers.go#L14
Used to fetch:
https://github.com/opensbom-generator/parsers/blob/main/pip/worker/pypi.go#L85
Used to fetch:
Bonus:
For all dependency managers, pip offers a command pip inspect to get metadata
for the current environment which contains package metadata, platform information(this can be used for #25) and a lot more.
Assess the parser to ensure the data looks as expected
When analyzing the dependencies of projects, the effective dependencies can change based on what platform the build is targeting. In order to cover those cases, we need to be able to do two things from any of the parsers:
This umbrella issue tracks the progress of the code migration from the generator repository to
the new standalone repository according to the plan agreed upon in the Oct 19th community meeting.
Assess the parser to ensure the data looks as expected
The reader package seems to be a little bit overkill, maybe we should deprecate it.
/cc @cpanato
Assess the parser to ensure the data looks as expected
The data model for the OpenSBOM parsers is broken If you have a project with more than one top-level module/package, it cannot be represented in the current model :(
Say for example this one: https://github.com/rust-secure-code/cargo-geiger/blob/master/Cargo.toml
I don't know if we can fix this with the current model, it will require a v2 API.
Assess the parser to ensure the data looks as expected
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.