hansbusch / swiftbom Goto Github PK
View Code? Open in Web Editor NEWThis project forked from certcc/sbom
Examples and proof-of-concept for Software Bill of Materials (SBOM) code & data
License: MIT License
This project forked from certcc/sbom
Examples and proof-of-concept for Software Bill of Materials (SBOM) code & data
License: MIT License
Microsoft file locations have a backslash.
However backslashes are not allowed in Json.
Current implementation expects exactly one relationship with identifier not starting with "NO" and assumes that this describes how another component CONTAINS itself.
Drawbacks
Internal defined license IDs must start with 'LicenseRef-'.
Add check to validation.
Implementation assumes that first item is primary. When loading sets of boms then IDs may occur multiple times as reference in parent as well as primary in dependent bom.
Current implementation ignores input and outputs dummy content
On first load one extra component is shown that needs to be removed before being able to export.
Subsequent loads add numerous additional empty components without possibility to remove.
Current implementation adds to each component the following line
Relationship: $SPDXID CONTAINS NOASSERTION
However we expect that all dependent components are fully declared. So why add this line?
Missing features:
Child BOM should support two modes:
Implementation looks very incomplete and does not even read primary component information but locks controls.
Not sure whether the tool doesn't like non-GUID SPDXIDs or generally generates new IDs.
The UI supports just single creator, although SPDX may contain e.g. person and tool.
Original implementation assumes that for each package the same tags are present. If not the association between tags and components gets messed up.
Propose to require PackageName as first tag of a component.
The check method should mark all missing required fields at once.
Any license ID provided shall be either taken from the license list in Annex A of the SPDX specification or it must be defined within the SBOM.
Check that valid only license IDs are used.
An external nuget reference must consist of a name followed by a slash and followed by a version number.
Add verification regex.
Parser should concatenate text instead of adding it to khash,
After assigning primary component it is removed from list. Not sure why this is needed. There was a glitch that the removal tested for equal list length which is not guaranteed for optional items resulting in wrong association.
Some tools output RDF and it would be nice to be able to import.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.