sbom-utility
sbom-utility copied to clipboard
Utility that provides an API platform for validating, querying and managing BOM data
Also, will need to make sure we can handle the "oneOf" constraint where the "legacy" object is an "array" type whereas the new type contains arrays of Components and Services:...
See standardized profiles: https://scvs.owasp.org/bom-maturity-model/profiles/examples/ntia-minimum-elements/ Also, see how they are being used in BOM generation (which could be used to create test/input data): - https://github.com/CycloneDX/cdxgen and its "--profile" flag/option. Note: profile...
Support the latest SPDX license templates: https://github.com/spdx/license-list-data Which were made official in this tagged release: https://github.com/spdx/license-list-data/releases/tag/v3.20
Currently, JSF signatures are only validated for correctness (in thei; we need testcases to verify this. As part of this effort we may also want to add custom "structs" for...
To help Windows consumers, see if we can autogen. an MSI file as part of the build/release process: https://github.com/mh-cbon/go-msi
See: https://blog.devgenius.io/graphs-in-golang-45f7ce31fd3f and as one format DOT files: https://graphviz.org/doc/info/lang.html --- This could include "assemblies" and also the formulation "worklflow->task" dependencies as well
Extracted this feature request from issue https://github.com/CycloneDX/sbom-utility/issues/35 > I ran this on an SBOM with 9928 components. There were duplicate components. ``` 1. Type: [unique], Field: [components], Description: [array items[3,243]...
When outputting data in JSON format, we need to remove all empty nested structs. We have done this for the `license` command. This reduces JSON output for downstream processing. See...
A general mechanism to do this needs to provided and its complexity may go beyond what can be easily conveyed via a command line flag. This may lead to additional...
i.e., add property ` Signature CDXSignature `json:"signature,omitempty"` to top-level `CDXBom` structure. Then support it with signing verification (validation) with testcases. This will be a bit of a challenge as we...