Closed alcroito closed 2 weeks ago
anthonyharrison
commented
1 month ago @alcroito Thanks for the suggestion.
The PURL value is already used to show the package ecosystem and the data in the CPE is used for supplier information. Are you suggesting that the full PURL and CPE values are shown for each package?
alcroito
commented
1 month ago Indeed. That it is my suggestion.
alcroito
commented
4 weeks ago To clarify, for PURL, if the purl type is generic, showing just generic for the package ecosystem field doesn't provide much value without showing some extra metadata. Hence the desire to show the full purl value.
I'm not sure I follow your comment about CPE being used for supplier info. Searching for cpe in https://github.com/anthonyharrison/sbom2doc/blob/main/sbom2doc/generator.py shows no hits. And searching for supplier suggests the code only reads the supplier that was specified via the package explicitly.
But even if the supplier is derived from CPE via some other code path, i still think there's value in showing the full cpe if requested.
alcroito
commented
2 weeks ago Thanks for implementing this!
I noticed that only one PURL and CPE is shown per package.
Sometimes a package might have more than one PURL or CPE.
For example an upstream vendor CPE, and a patched vendor-specific CPE. Same with PURLs, one for the package upstream url, and one for a version specific to a project, which has patched sources.
Would you be open to a PR that shows all the CPE and PURL values of a package?
alcroito
commented
2 weeks ago I pushed a PR in case that's something you are open to adding.
Hi,
Thanks for writing this tool, it greatly helps to quickly visualize an SBOMs document content.
I was wondering if it would be possible to add a feature to display one more table that lists the package's PURL and CPE values?