box icon indicating copy to clipboard operation
box copied to clipboard
verified publisher icon box-project

feat: Add SBOM support

Open theofidry opened this issue 2 years ago • 2 comments

The goal of this PR, at the time of writing, is to assess what is necessary. A few points to consider:

  • This should be a dedicated package (ideally a cyclonedx one)
  • This need to have a config entry (for opt-in/opt-out), probably can default opt-in
  • Need to add support for this in the info/diff command; maybe too verbose for the info command but it can probably say whether a SBOM file has been found and suggest the desired command to view the SBOM
  • à la BoxManifest: maybe a new command can be shown to:
    • render the SBOM in different format
    • extract the SBOM specifically

theofidry avatar Oct 23 '23 21:10 theofidry

/cc @llaville: as this, currently at least, your work for the most part.

Current status: I have a rough idea of what it takes now. I am however very curious about how this will play with https://github.com/composer/composer/issues/11693.

@llaville I am also curious why you went with installed.php content rather than the composer.lock?

theofidry avatar Oct 23 '23 21:10 theofidry

I am also curious why you went with installed.php content rather than the composer.lock ?

Because :

  1. composer.lock is not mandatory and could be ignored (see documentation https://getcomposer.org/doc/06-config.md#lock, and implementation https://github.com/composer/composer/blob/2.6.5/src/Composer/Factory.php#L412-L418)
  2. installed.php is part of Composer Runtime API since v2.0 (https://getcomposer.org/doc/07-runtime.md#installed-versions) and should be always present with a highest priority to composer.lock (see implementation https://github.com/composer/composer/blob/2.6.5/src/Composer/Factory.php#L345-L357)

llaville avatar Oct 24 '23 05:10 llaville