Code assumes json format for CycloneDX SBOMs

eBay / sbom-scorecard

Generate a score for your sbom to understand if it will actually be useful.

Apache License 2.0

221 stars 24 forks source link

Code assumes json format for CycloneDX SBOMs #16

Closed cyberbliss closed 1 year ago

cyberbliss commented 1 year ago

Hi,

The code for specifying the CDX decoder assumes that the SBOM will be in json format: In cdx_report.go: decoder := cdx.NewBOMDecoder(f, cdx.BOMFileFormatJSON)

As a consequence any XML format CycloneDX SBOMs get marked as invalid specs. This seems misleading to me.

jspeed-meyers commented 1 year ago

I think that adding XML support would be a nice additional feature.

Additionally, it would be useful to have the tool report--in the meantime before XML parsing functionality is added--that the provided CycloneDX document is not JSON via an error message instead of reporting an invalid spec.

wdyt?

cyberbliss commented 1 year ago

Sounds like a good suggestion to me