hansbusch / swiftbom Goto Github PK

Microsoft file locations have a backslash.

However backslashes are not allowed in Json.

Current implementation expects exactly one relationship with identifier not starting with "NO" and assumes that this describes how another component CONTAINS itself.
Drawbacks

• A component can only be included once
• Any generator defining the inclusion otherwise will result in wrong association

Internal defined license IDs must start with 'LicenseRef-'.

Add check to validation.

Implementation assumes that first item is primary. When loading sets of boms then IDs may occur multiple times as reference in parent as well as primary in dependent bom.

• Simplify parser component access by storing components as hash of component IDs.
• Hash allows easy matching of existing bom entries avoiding duplicates

Current implementation ignores input and outputs dummy content

On first load one extra component is shown that needs to be removed before being able to export.

Subsequent loads add numerous additional empty components without possibility to remove.

Current implementation adds to each component the following line
Relationship: $SPDXID CONTAINS NOASSERTION

However we expect that all dependent components are fully declared. So why add this line?

Missing features:

• Reading of checksums
• Writing checksum information to formats other than tagged spdx

Child BOM should support two modes:

1. read primary component into BOM
2. include full recursive content

Implementation looks very incomplete and does not even read primary component information but locks controls.

Not sure whether the tool doesn't like non-GUID SPDXIDs or generally generates new IDs.

The UI supports just single creator, although SPDX may contain e.g. person and tool.

Original implementation assumes that for each package the same tags are present. If not the association between tags and components gets messed up.

Propose to require PackageName as first tag of a component.

The check method should mark all missing required fields at once.

Any license ID provided shall be either taken from the license list in Annex A of the SPDX specification or it must be defined within the SBOM.

Check that valid only license IDs are used.

An external nuget reference must consist of a name followed by a slash and followed by a version number.

Add verification regex.

Parser should concatenate text instead of adding it to khash,

After assigning primary component it is removed from list. Not sure why this is needed. There was a glitch that the removal tested for equal list length which is not guaranteed for optional items resulting in wrong association.

Some tools output RDF and it would be nice to be able to import.