Import CycloneDx request from sFractal

[sparrell]

Many build tools create CycloneDx SBOMs. Having import-CycloneDx button (similar to import-spdx and import-excel) would save me typing them into form or making fake SBoM and using hierarchy features.

[sei-vsarvepalli]

Hi Duncan,

Thanks for creating this. I know you had asked for it I had dropped the ball! Can you provide samples apart from what I generate so I can have a wider corpus to test import of CycloneDx. CylconeDX JSON and XML if possible for each scenario below will be helpful

1. Simple SBOM with one product and two sub-components included in a single-tier relationship
2. SBOM with three or more levels of relationship between sub-components.
3. SBOM with an external relationship either embedded into one CycloneDX file or as two distinct CycloneDX files

Thanks

[sparrell]

https://cyclonedx.org/#example-sbom has an example in both xml and JSON. There is a multilevel example at https://cyclonedx.org/ext/dependency-graph/. There are a bunch of other examples on that website. You might also want to look at https://github.com/CycloneDX/gh-node-module-generatebom.

iPhone, iTypo, iApologize

---

From: Vijay Sarvepalli notifications@github.com Sent: Sunday, September 20, 2020 12:35:27 PM To: CERTCC/SBOM SBOM@noreply.github.com Cc: duncan sfractal.com duncan@sfractal.com; Author author@noreply.github.com Subject: Re: [CERTCC/SBOM] Import CycloneDx request from sFractal (#3)

Hi Duncan,

Thanks for creating this. I know you had asked for it I had dropped the ball! Can you provide samples apart from what I generate so I can have a wider corpus to test import of CycloneDx. CylconeDX JSON and XML if possible for each scenario below will be helpful

1. Simple SBOM with one product and two sub-components included in a single-tier relationship
2. SBOM with three or more levels of relationship between sub-components.
3. SBOM with an external relationship either embedded into one CycloneDX file or as two distinct CycloneDX files

Thanks

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/CERTCC/SBOM/issues/3#issuecomment-695807381, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AANEXD2GWRUSYSQWVBX7YCLSGYVM7ANCNFSM4RTT5SUQ.

[sei-vsarvepalli]

Hi Duncan,

I have been running some sample parsers on CycloneDX. There are a number of challenges in reliably parsing CycloneDX both XML and JSON.

1. There are too many options for the same information - like vendor/supplier/manufacture/publisher these are not tags but distinct fields making it sort of difficult to look for both or either or
2. The XML and JSON parsers with verification to the XML Namespace and JSON Schema require a number of schema information downloaded and then loaded in memory. This opens so many other issues like performance, cross-site security, unparseable errors.

I am going to put this "on hold" for now, due to all these challenges.

Vijay

[sparrell]

Thanks for trying. So I understand – you can still output CycloneDX xml & json but you can’t accept external input due to parsing issues. Correct?

Duncan Sparrell sFractal Consulting LLC iPhone, iTypo, iApologize I welcome VSRE emails. Learn more at http://vsre.info/

From: GitHub notifications@github.com Reply-To: CERTCC/SBOM reply@reply.github.com Date: Thursday, September 24, 2020 at 11:51 AM To: CERTCC/SBOM SBOM@noreply.github.com Cc: "duncan@sfractal.com" duncan@sfractal.com, Author author@noreply.github.com Subject: Re: [CERTCC/SBOM] Import CycloneDx request from sFractal (#3)

Hi Duncan,

I have been running some sample parsers on CycloneDX. There are a number of challenges in reliably parsing CycloneDX both XML and JSON.

1. There are too many options for the same information - like vendor/supplier/manufacture/publisher these are not tags but distinct fields making it sort of difficult to look for both or either or
2. The XML and JSON parsers with verification to the XML Namespace and JSON Schema require a number of schema information downloaded and then loaded in memory. This opens so many other issues like performance, cross-site security, unparseable errors.

I am going to put this "on hold" for now, due to all these challenges.

Vijay

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/CERTCC/SBOM/issues/3#issuecomment-698431595, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AANEXD2GI4B3323IRGJQF5DSHNTI7ANCNFSM4RTT5SUQ.

[sei-vsarvepalli]

Yes, Correct Duncan. Parsing CycloneDX is put on hold for now as it involves quite a bit of development and a corpus of documents to test against. I believe these will be both happen eventually, as demand increases, then I can put in time or muster up resources internally to take this up.

Vijay

[sei-vsarvepalli]

Cyclone DX JSON is available for output now.