sbom

sbom copied to clipboard

Am looking at things from a little bit different perspective, where I want to look at a source repo and see if it has a valid bom.xml. Would this be something you think useful in this lib/api?

What do you mean exactly by 'valid bom.xml'? That the file is well-formed? That it validates against the XSD? That the content hasn't diverged from the actual dependencies declared in the project?

I hadn’t actually considered the latter, but yes that too would be important too I believe.

On Mon, Mar 21, 2022 at 5:45 AM Bram Verburg @.***> wrote:

What do you mean exactly by 'valid bom.xml'? That the file is well-formed? That it validates against the XSD? That the contents hasn't diverged from the actual dependencies declared in the project?

— Reply to this email directly, view it on GitHub https://github.com/voltone/sbom/issues/8#issuecomment-1073690873, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAABBGPPOTLTAX2M7TMPZEDVBBAMBANCNFSM5REENEZQ . You are receiving this because you authored the thread.Message ID: @.***>

So you are looking for a Mix command that you can run in a CI environment and that exits with a non-zero error code if a newly generated bom.xml would be semantically different from the existing one, instead of just overwriting it and returning success?

Actually looking for an API. But I believe that would be a useful feature as well.

On Mon, Mar 21, 2022 at 9:49 AM Bram Verburg @.***> wrote:

So you are looking for a Mix command that you can run in a CI environment and that exits with a non-zero error code if a newly generated bom.xml would be semantically different from the existing one, instead of just overwriting it and returning success?

— Reply to this email directly, view it on GitHub https://github.com/voltone/sbom/issues/8#issuecomment-1073920050, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAABBGNXYPGC6XGXOP4MDN3VBB46HANCNFSM5REENEZQ . You are receiving this because you authored the thread.Message ID: @.***>