search

interlynk-io / sbomasm

SBOM Assembler - A tool to edit SBOM or assemble multiple sboms into a single sbom.
Apache License 2.0
54 stars 4 forks source link

Streamline process of augmentation/enrichment #102

Open vpetersson opened 1 week ago

vpetersson commented 1 week ago

I've been playing a bit with sbomasm for enrichment, and I ran into a somewhat annoying thing, which is that you can't combine a single line for doing enrichment of both document and primary-component.

Right now, my process looks something like this:

sbomasm edit \
    -o phase1.cdx.json \
    --subject document \
        --supplier "Acme Inc (hello@acme.com)" \
        --author "Acme Inc (hello@acme.com)" \
        --copyright "Copyright © $(date +%Y)" \
        --license "Proprietary" \
        input.cdx.json

sbomasm edit \
    -o phase2.cdx.json \
     --subject primary-component \
         --lifecycle "build" \
         --repository github.com/acme/foobar \
         --name "acme foobar backend" \
         --description "acme webapp" \
         --version "${GITHUB_SHA}" \
        phase1.cdx.json

While it's not a catastrophe to have to break apart these things into two runs, it does require a bit of shuffling files around since in-line editing isn't supported.

I can see two ways of making the process smoother:

  1. Allow for inline editing of the file.
  2. Overhaul all named arguments and give them a namespace.

In the case of 2, some intelligence can be made as lifecycle for instance can only be used in one place, whereas version can be used both in the primary component and document.

It's also worth mentioning that I did look at using the template first. However, due to the lack of variable support (needed for version), I ended up with the above.

surendrapathak commented 1 week ago

I think inline editing is a common enough use case to provide an option (-f ?). @viveksahu26 @riteshnoronha