search

anthonyharrison / distro2SBOM

Generates SBOM files from system packaging information
Apache License 2.0
18 stars 8 forks source link

Add license, summary, URL with -i argument #2

Closed danielperna84 closed 1 year ago

danielperna84 commented 1 year ago

When using the -i argument, the metadata was not obtained via rpm -qi. My modification changes this, which in turn then includes the license, summary and URL of the package. I did not include the supplier, as the resulting value for cpe does not match a valid ID from the CPE Dictionary.

I chose not to refactor the code, which results in some duplication. But as I don't know much about this projects internals, I felt this is the safe route to at least get this feature available to others.

It's worth pointing out, that my implementation skips packages if they are not installed (like the -p argument does), and therefore no metadata is available. This might not be desired by some people, as before those were included, just with less data.

anthonyharrison commented 1 year ago

When using the -i argument, the metadata was not obtained via rpm -qi. My modification changes this, which in turn then includes the license, summary and URL of the package. I did not include the supplier, as the resulting value for cpe does not match a valid ID from the CPE Dictionary.

I chose not to refactor the code, which results in some duplication. But as I don't know much about this projects internals, I felt this is the safe route to at least get this feature available to others.

It's worth pointing out, that my implementation skips packages if they are not installed (like the -p argument does), and therefore no metadata is available. This might not be desired by some people, as before those were included, just with less data.

@danielperna84 Thanks for the pull request. Whereas the -p option is used on a system where the package is intsalled, the -i option was intended to just process the list of installed packages which may have been produced on another system. I wonder if I should offer another option --system which essentially produces a SBOM for ALL of the packages installed on the system and will include licences, and summary information that you require. I expect that this will be a large SBOM! and will take some time to assemble but would that do what you need?

danielperna84 commented 1 year ago

Yes, in my case this is used to generate the SBOM for the whole system. More specifically to gather the data for a manually created container image.

The --system argument would be a good alternative, as I can see others still preferring your current implementation.

And I can confirm, that doing it the way I have implemented is does take a few seconds to complete. I didn't take measurements. But roughly 5 seconds for ~150 packages in my development container.

That being said, it might not be worth the effort if it's just me. Today I've stumbled upon Syft, which also does the job for me. So there's no high priority from my side.

anthonyharrison commented 1 year ago

@danielperna84 I have just updated DISTRO2SBOM (v0.3.0) with the --systemoption. It will generate an SBOM with all of the dependency relationships between the components. Depending on your setup, it may take some time to process but I have successfully generated an SBOM with nearly 3500 components and over 17000 relationships and it took just over 5 minutes.

Are you happy if I reject your pull request?

danielperna84 commented 1 year ago

Sure, go ahead. My solution was just a quick fix. Thanks for your effort. 👍🏻