sbom icon indicating copy to clipboard operation
sbom copied to clipboard

Published 20 hours ago verified publisher icon voltone

feat: support json output format

Open aschiavon91 opened this issue 2 years ago • 7 comments

Hey guys, firstly, thanks for the work! I did some refactors and implemented a json encoder, I tested the results with sbom-utility, and everything seems fine. This closes #3 image

Edit: I don't know if encoding is the best name the option to configure the output format, but the alias -f is already being used by force option.

aschiavon91 avatar Nov 08 '23 21:11 aschiavon91

Thanks for the PR! The main reason this was not implemented so far was the fact that installing the tool with mix archive.install does not work with dependencies. I would like to retain the ability to install the tool on-the-fly (e.g. inside a CI job) without adding it as a declared dependency to the project, if possible.

Producing XML is easy with just standard library tooling, the question is whether it would be feasible to implement a minimal JSON encoder within the tool. What do you think?

voltone avatar Nov 13 '23 09:11 voltone

Thanks for the PR! The main reason this was not implemented so far was the fact that installing the tool with mix archive.install does not work with dependencies. I would like to retain the ability to install the tool on-the-fly (e.g. inside a CI job) without adding it as a declared dependency to the project, if possible.

Producing XML is easy with just standard library tooling, the question is whether it would be feasible to implement a minimal JSON encoder within the tool. What do you think?

Hey @voltone, thanks for the explanation, I didn't know that. Yeah, I think we can do it!

aschiavon91 avatar Nov 13 '23 15:11 aschiavon91

the json encoder covers the very basic stuff, but I do think it's enough for now, what do you think @voltone? Also, I tested it again using sbom-utility and it's worked as expected. image

aschiavon91 avatar Nov 14 '23 02:11 aschiavon91

May I ask where the JSON encoder code is coming from? I found some similar-looking code online, and I want to make sure any re-use of code is allowed by the license under which the original code was released.

voltone avatar Nov 15 '23 13:11 voltone

for sure! I only copied the implementation related to binary encoding from here, all the other stuff I have implemented by myself

aschiavon91 avatar Nov 15 '23 23:11 aschiavon91

Sorry for ignoring this PR for so long, we've been discussing the best way forward in the EEF SecurityWG. We are considering moving maintenance of this Mix and Rebar3 plugins to the WG. In the process we might change this package to be an escript rather than a Mix archive, which would allow us to use package dependencies. I will keep you posted...

voltone avatar Dec 18 '23 09:12 voltone

Sorry for ignoring this PR for so long, we've been discussing the best way forward in the EEF SecurityWG. We are considering moving maintenance of this Mix and Rebar3 plugins to the WG. In the process we might change this package to be an escript rather than a Mix archive, which would allow us to use package dependencies. I will keep you posted...

No problem at all, and thanks for the update, if there's anything i can help, pls let me know

aschiavon91 avatar Dec 18 '23 12:12 aschiavon91