Open ffontaine opened 10 months ago
This sounds like a good idea.
For sbom generation: we're leaning heavily on lib4sbom so it'd be good to have it in there.
But I think we're going to internally want purl for the language parsers as well, so it probably makes sense to integrate it or something similar as part of the parsers too.
purls can be added to sbom generation as external references. Adding this to the SBOM generation within cve-bin-tool is relatively easy as lib4sbom already handles purls (and cpes) as external references.
Having spent a bit more time looking at this, I think this is an awesome idea. I note that there is a utility which loads the data into an sqllite database which means we could just include a pre-poulated database with an install of cve-bin-tool.
We then need to be add some queries to see if the cpe and/or purl entries in a SBOM match and then work out how we map this information into the existing database
Thanks @anthonyharrison, I also worked a bit on the subject. I'll send you a PR so you can take a look at it and hopefully improve it ;-). I also sent a question to purl2cpe to seek advise on the best way to use their project: https://github.com/scanoss/purl2cpe/issues/10
Here is a first iteration: https://github.com/anthonyharrison/lib4sbom/pull/16.
Description
It would be very useful to generate SBOM with purl entries through purl2cpe which is licensed under MIT. My basic idea would be to fill purl entries depending on what is returned by purl2cpe database. Here is an example:
Why?
With purl, SBOM managers will retrieve useful upstream information: latest version, repository activity, etc.
Environment context (optional)
Currently, cve-bin-tool is used during our pentests to detect vulnerable components and ask manufacturers to upgrade them. We're now starting to also use cve-bin-tool to generate SBOM. Hopefully, SBOM should help the project manager to handle CVEs through out the product lifecycle. Ideally, SBOM should be provided by manufacturers but for the moment, cve-bin-tool generates better SBOM than the manufacturer ...
Anything else?
I'm not sure where purl2cpe should be integrated: in cve-bin-tool or in lib4sbom?