sbomasm
sbomasm copied to clipboard
interlynk-io
Streamline process of augmentation/enrichment
I've been playing a bit with sbomasm for enrichment, and I ran into a somewhat annoying thing, which is that you can't combine a single line for doing enrichment of both document and primary-component.
Right now, my process looks something like this:
sbomasm edit \
-o phase1.cdx.json \
--subject document \
--supplier "Acme Inc ([email protected])" \
--author "Acme Inc ([email protected])" \
--copyright "Copyright © $(date +%Y)" \
--license "Proprietary" \
input.cdx.json
sbomasm edit \
-o phase2.cdx.json \
--subject primary-component \
--lifecycle "build" \
--repository github.com/acme/foobar \
--name "acme foobar backend" \
--description "acme webapp" \
--version "${GITHUB_SHA}" \
phase1.cdx.json
While it's not a catastrophe to have to break apart these things into two runs, it does require a bit of shuffling files around since in-line editing isn't supported.
I can see two ways of making the process smoother:
- Allow for inline editing of the file.
- Overhaul all named arguments and give them a namespace.
In the case of 2, some intelligence can be made as lifecycle for instance can only be used in one place, whereas version can be used both in the primary component and document.
It's also worth mentioning that I did look at using the template first. However, due to the lack of variable support (needed for version), I ended up with the above.
