Closed alcroito closed 2 weeks ago
@alcroito Thanks for the suggestion.
The PURL value is already used to show the package ecosystem and the data in the CPE is used for supplier information. Are you suggesting that the full PURL and CPE values are shown for each package?
Indeed. That it is my suggestion.
To clarify, for PURL, if the purl type is generic
, showing just generic
for the package ecosystem field doesn't provide much value without showing some extra metadata. Hence the desire to show the full purl value.
I'm not sure I follow your comment about CPE being used for supplier info. Searching for cpe
in https://github.com/anthonyharrison/sbom2doc/blob/main/sbom2doc/generator.py shows no hits. And searching for supplier
suggests the code only reads the supplier that was specified via the package explicitly.
But even if the supplier is derived from CPE via some other code path, i still think there's value in showing the full cpe if requested.
Thanks for implementing this!
I noticed that only one PURL and CPE is shown per package.
Sometimes a package might have more than one PURL or CPE.
For example an upstream vendor CPE, and a patched vendor-specific CPE. Same with PURLs, one for the package upstream url, and one for a version specific to a project, which has patched sources.
Would you be open to a PR that shows all the CPE and PURL values of a package?
I pushed a PR in case that's something you are open to adding.
Hi,
Thanks for writing this tool, it greatly helps to quickly visualize an SBOMs document content.
I was wondering if it would be possible to add a feature to display one more table that lists the package's PURL and CPE values?