Open nsajko opened 7 months ago
SamuraiAku
commented
7 months ago @nsajko could you move this idea to SPDX.jl? That package implements the SPDX specification and is a better place for this concept. This package is focused on plumbing through Pkg and the registry to obtain the information to create the SBOM.
nsajko
commented
7 months ago Fine by me, but I think you're the only one who can move the issue.
SamuraiAku
commented
7 months ago Done
SamuraiAku
commented
7 months ago Some notes for anyone who wants to try this and I hope I’m getting the terminology right…
SamuraiAku
commented
7 months ago And when the SBOM is created in PkgToSoftwareBOM.jl any artifacts have the relationship: A RUNTIME_DEPENDENCY_OF B
Each SPDX relationship seems to have a natural interpretation as the edge of a digraph (directed graph). Providing integration with the Graphs.jl package would be nice as it could make applying graph-theoretic tools to the SBOM very convenient.
Generating a representation for the SBOM in one of the usual graph formats like GML or GraphViz Dot would be nice. The representation could then be fed to an external program to visualize the SBOM as a digraph in 2D (using GraphViz) and 3D (using Graphia). Not completely sure, but I think you get GML and Dot export for free after integration with Graphs.jl.