search

CycloneDX / cyclonedx-cli

CycloneDX CLI tool for SBOM analysis, merging, diffs and format conversions.
https://cyclonedx.org/
Apache License 2.0
297 stars 60 forks source link

Add support for dynamic component pedigree #107

Open stevespringett opened 3 years ago

stevespringett commented 3 years ago

For components that a development team knows are modified, CycloneDX CLI should ideally be able to reach out into the VCS (git) and retrieve the commits that make a modified version unique.

This ticket is specific to component/pedigree/ancestors and component/pedigree/commits. Automated support for patches and resolves are outside the scope of this ticket.

Given the bom-ref of a modified component (and possibly the purl of the original component) the CLI should be able to construct the ancestors node and retrieve all commits and attach the pedigree node to the component.

This ticket was created as a result of a Slack conversation.

This ticket is related to #14.

coderpatros commented 3 years ago

This would be really cool. But how would it work?

Would the user provide the hash for the upstream commit they made their subsequent changes from?

stevespringett commented 3 years ago

Would the user provide the hash for the upstream commit they made their subsequent changes from?

My thought is either commit hash to the tag name

jkowalleck commented 3 years ago

in other systems i've seen tings like v1.33.7+5278b9229bb058e66a74c00dc9e53604918d94b0 which derived from the latest version tag in the git history. and since the HEAD was not tagged, an additional +<git-node-id_of_HEAD> was added.