Closed travi closed 1 year ago
Sorry for the delay! As you discovered, it can take many API calls to generate a SBOM for a large repository, or fail altogether for very large repositories.
The Dependency Graph team was kind enough to implement a server-side SBOM generator for SPDX, which is a single API call and much, much faster. The gh-sbom v0.0.9 release makes use of this feature - give it a try and let us know if that works for you?
You'll need to update gh-sbom
with:
$ gh ext remove advanced-security/gh-sbom
$ gh ext install advanced-security/gh-sbom
Thanks for the update. Great to hear that the API generation is available. Will test it out soon!
this is great and so fast :)
one thing to note, the README still mentions that GHES 3.8 is needed. when using against GHES, the new rest endpoint for the sbom doesnt yet exist in v3.8. since https://github.com/github/roadmap/issues/626 highlights that these features are to be expected in v3.9, what would be the appropriate update to make that clear in the README until that is released?
Great call-out! I have done so with https://github.com/advanced-security/gh-sbom/commit/5e0c9242b0b7dcfbdf19cd111a4335a3193a0054.
when executing against projects where the dependency graph is tracking several pages of dependencies, we are encountering secondary rate limits before the full query result can be processed. is there a way to configure the client to honor the
retry-after
/x-ratelimit-reset
headers?for completeness, this is the error we are seeing in this case:
in addition, we are sometimes seeing a timeout error, before encountering the secondary rate limit. Is this a known issue?