cyclonedx-go icon indicating copy to clipboard operation
cyclonedx-go copied to clipboard
verified publisher icon CycloneDX

Expose merging SBOMs

Open sambhav opened this issue 4 years ago • 5 comments

Hello 👋 we are starting the work on integrating cyclonedx in buildpacks. As a part of this work, we need to be able to merge cyclonedx SBOMs provided by various buildpacks involved in the build process through our go based binary called the lifecycle. We were hoping for the behavior exposed by the cyclonedx CLI to be available via a go library. Would it be possible to add this as an enhancement?

sambhav avatar Oct 05 '21 15:10 sambhav

Note to self: Merging as performed by the CLI is implemented here in the .NET library: https://github.com/CycloneDX/cyclonedx-dotnet-library/blob/main/src/CycloneDX.Utils/Merge.cs

nscuro avatar Oct 08 '21 12:10 nscuro

Don't be limited by what I managed to implement for merging in the CLI tool. It still requires some work. Especially around the flat merging approach. i.e. it doesn't handle dependency graphs. But from memory the hierarchical merging was reasonably feature complete.

coderpatros avatar Oct 16 '21 12:10 coderpatros

Yeah, there are a few other points I'd like to address with flat merging. Like deduplication of components and services, rewiring of the dependency graph etc. I've used a merging library for the initial implementation, but that may not be the best idea after all. Will need to do a bit more research here.

nscuro avatar Oct 16 '21 20:10 nscuro

This would be really great to see. I'm working with CycloneDX in Go and my options for merging at the moment are:

  1. Implement this myself
  2. Exec out to the cyclonedx CLI.

Neither are very appealing!

ribbybibby avatar Jun 28 '22 16:06 ribbybibby