lib4sbom
lib4sbom copied to clipboard
anthonyharrison
Library to ingest and generate SBOMs
Guessing purl thanks to cpe2purl database, upstream purl (e.g. github, gitlab, sourceforge) are preferred over distribution specific purl (e.g. debian, ubuntu, fedora, etc.) In this first iteration, only json and...
Following on from #41 the SPDX and CycloneDX generators need to handle multiple licences for a component.
- Extra detail such as ratings added according to specification - fixes affects["versions"] field which was invalid according to cyclonedx vex specification(should be a list was a dict) - source...
It looks like the 'hasExtractedLicensingInfos' part of JSON SBOM files (defined at https://spdx.github.io/spdx-spec/v2.3/other-licensing-information-detected/) is just ignored. I didn't find where it is processed in `SPDXParser._parse_spdx_data`, and I didn't find where...
Conversion of cdx json sbom to spdx json sbom file misses download location and license information
The license information and download location of the conversion from cdx.json to spdx.json misses the value. `from lib4sbom.parser import SBOMParser from lib4sbom.generator import SBOMGenerator from lib4sbom.data.document import SBOMDocument test_parser =...
Upgrade license data to latest list - [SPDX License List](https://github.com/spdx/license-list-data/releases/tag/v3.25.0)
Currently the SPDX generator assumes that the source of a relationship is always a package, and the target is either a package or a file: https://github.com/anthonyharrison/lib4sbom/blob/5a06007fb97cbe092545bc84aebe52fa08894301/lib4sbom/generator.py#L174-L190 SPDX [relationships](https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/) may occur...
Hi, I'm trying to use https://github.com/anthonyharrison/sbomconvert to convert some SPDX v2.3 documents to CycloneDX v1.6. I find it does better mapping for fields like cpe and purl compared to https://github.com/CycloneDX/cyclonedx-cli...
It might be useful when you receive a SBOM file as an InMemoryUploadedFile. You probably want to parse it without saving to disk.
