Closed danielperna84 closed 1 year ago
When using the
-i
argument, the metadata was not obtained viarpm -qi
. My modification changes this, which in turn then includes the license, summary and URL of the package. I did not include the supplier, as the resulting value forcpe
does not match a valid ID from the CPE Dictionary.I chose not to refactor the code, which results in some duplication. But as I don't know much about this projects internals, I felt this is the safe route to at least get this feature available to others.
It's worth pointing out, that my implementation skips packages if they are not installed (like the
-p
argument does), and therefore no metadata is available. This might not be desired by some people, as before those were included, just with less data.
@danielperna84 Thanks for the pull request. Whereas the -p option is used on a system where the package is intsalled, the -i option was intended to just process the list of installed packages which may have been produced on another system. I wonder if I should offer another option --system which essentially produces a SBOM for ALL of the packages installed on the system and will include licences, and summary information that you require. I expect that this will be a large SBOM! and will take some time to assemble but would that do what you need?
Yes, in my case this is used to generate the SBOM for the whole system. More specifically to gather the data for a manually created container image.
The --system
argument would be a good alternative, as I can see others still preferring your current implementation.
And I can confirm, that doing it the way I have implemented is does take a few seconds to complete. I didn't take measurements. But roughly 5 seconds for ~150 packages in my development container.
That being said, it might not be worth the effort if it's just me. Today I've stumbled upon Syft, which also does the job for me. So there's no high priority from my side.
@danielperna84 I have just updated DISTRO2SBOM (v0.3.0) with the --system
option. It will generate an SBOM with all of the dependency relationships between the components. Depending on your setup, it may take some time to process but I have successfully generated an SBOM with nearly 3500 components and over 17000 relationships and it took just over 5 minutes.
Are you happy if I reject your pull request?
Sure, go ahead. My solution was just a quick fix. Thanks for your effort. 👍🏻
When using the
-i
argument, the metadata was not obtained viarpm -qi
. My modification changes this, which in turn then includes the license, summary and URL of the package. I did not include the supplier, as the resulting value forcpe
does not match a valid ID from the CPE Dictionary.I chose not to refactor the code, which results in some duplication. But as I don't know much about this projects internals, I felt this is the safe route to at least get this feature available to others.
It's worth pointing out, that my implementation skips packages if they are not installed (like the
-p
argument does), and therefore no metadata is available. This might not be desired by some people, as before those were included, just with less data.