search

advanced-security / gh-sbom

Generate SBOMs with gh CLI
MIT License
164 stars 13 forks source link

Add structure to SBOM and relationships to avoid lingering nodes #3

Closed puerco closed 1 year ago

puerco commented 1 year ago

This is a really cool project thanks for writing it! I have a suggestion to improve the SPDX SBOM and fix a bug.

This PR modifies the SPDX SBOM to add relationships and add structure by relating them to a main package. It also fixes a bug where no packages were listed as being described by the document.

Before, packages were lingering loose, now they are related to one main package to model them as components an not individual items. Visualizing the SBOM structure with bom we can see that the SBOM now looks like this:

 gh-sbom |  bom document outline -

 📂 SPDX Document github.com/advanced-security/gh-sbom
  │ 
  │ 📦 DESCRIBES 1 Packages
  │ 
  ├ gh-sbom
  │  │ 🔗 20 Relationships
  │  ├ DEPENDS_ON PACKAGE gh-sbom
  │  ├ DEPENDS_ON PACKAGE go-gh@1.2.1
  │  ├ DEPENDS_ON PACKAGE safeexec@1.0.0
  │  ├ DEPENDS_ON PACKAGE go-runewidth@0.0.13
  │  ├ DEPENDS_ON PACKAGE uuid@1.3.0
  │  ├ DEPENDS_ON PACKAGE uniseg@0.2.0
  │  ├ DEPENDS_ON PACKAGE pflag@1.0.5
  │  ├ DEPENDS_ON PACKAGE net@0.7.0
  │  ├ DEPENDS_ON PACKAGE term@0.5.0
  │  ├ DEPENDS_ON PACKAGE httpretty@0.0.6
  │  ├ DEPENDS_ON PACKAGE go-colorful@1.2.0
  │  ├ DEPENDS_ON PACKAGE termenv@0.12.0
  │  ├ DEPENDS_ON PACKAGE shurcool-graphql@0.0.2
  │  ├ DEPENDS_ON PACKAGE text@0.2.0
  │  ├ DEPENDS_ON PACKAGE go-isatty@0.0.16
  │  ├ DEPENDS_ON PACKAGE go-timezone-local@0.0.0-20210907160436-ef149e42d28e
  │  ├ DEPENDS_ON PACKAGE sys@0.5.0
  │  ├ DEPENDS_ON PACKAGE yaml.v3@3.0.1
  │  ├ DEPENDS_ON PACKAGE checkout@3
  │  └ DEPENDS_ON PACKAGE gh-extension-precompile@1
  │ 
  └ 📄 DESCRIBES 0 Files