SamuraiAku
commented
2 days ago I’ve had a look at how BinaryBuilder works and the repositories on Yggdrasil. Trying to parse the build scripts there to extract the source download locations look to be beyond my skill level.
What I could do instead is list the Yggdrasil repository as where the binary is generated from, which is true. Then it would be up to the analyst to figure out the source code from there.
Is there a parseable registry for Yggdrasil like the package registry? It’s organized in the same way but I’m not seeing a registry file per se. That would make the tie between the JLL registry entry and Yggdrasil easier to put together.
An artifact typically contains a compiled binary. Someone who is analyzing an SBOM generated by this package will want to know where to find the source code that was compiled to generate those binaries.
In the general case this is impossible to do. It seems like it may be possible for JLLs that use BinaryBuilder to extract this information. They are all using the same basic build flow so the description of the source tarball should be in a standard location somewhere? This would cover nearly every important artifact out there.
The source tarball would be added to the SBOM as a package and a relationship of the form below would be added