hansbusch / swiftbom Goto Github PK
View Code? Open in Web Editor NEWThis project forked from certcc/sbom
Examples and proof-of-concept for Software Bill of Materials (SBOM) code & data
License: MIT License
This project forked from certcc/sbom
Examples and proof-of-concept for Software Bill of Materials (SBOM) code & data
License: MIT License
Missing features:
Current implementation adds to each component the following line
Relationship: $SPDXID CONTAINS NOASSERTION
However we expect that all dependent components are fully declared. So why add this line?
Internal defined license IDs must start with 'LicenseRef-'.
Add check to validation.
Current implementation expects exactly one relationship with identifier not starting with "NO" and assumes that this describes how another component CONTAINS itself.
Drawbacks
Parser should concatenate text instead of adding it to khash,
An external nuget reference must consist of a name followed by a slash and followed by a version number.
Add verification regex.
The check method should mark all missing required fields at once.
Current implementation ignores input and outputs dummy content
Original implementation assumes that for each package the same tags are present. If not the association between tags and components gets messed up.
Propose to require PackageName as first tag of a component.
Any license ID provided shall be either taken from the license list in Annex A of the SPDX specification or it must be defined within the SBOM.
Check that valid only license IDs are used.
Microsoft file locations have a backslash.
However backslashes are not allowed in Json.
The UI supports just single creator, although SPDX may contain e.g. person and tool.
Child BOM should support two modes:
Implementation looks very incomplete and does not even read primary component information but locks controls.
On first load one extra component is shown that needs to be removed before being able to export.
Subsequent loads add numerous additional empty components without possibility to remove.
After assigning primary component it is removed from list. Not sure why this is needed. There was a glitch that the removal tested for equal list length which is not guaranteed for optional items resulting in wrong association.
Implementation assumes that first item is primary. When loading sets of boms then IDs may occur multiple times as reference in parent as well as primary in dependent bom.
Not sure whether the tool doesn't like non-GUID SPDXIDs or generally generates new IDs.
Some tools output RDF and it would be nice to be able to import.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.