Closed johnbintz-tidelift closed 2 years ago
havocp
commented
2 years ago I remember the "multiple platforms in a file" problem having some significant complexity (the dependencies.csv parser sort of punts on it for some reason).
I can't look at this in detail for an hour or two but would like to understand that aspect.
There was a more comprehensive support for multiple platforms that was added and then reverted historically.
johnbintz-tidelift
commented
2 years ago @havocp I reworked the approach I was using to make it so you include (well, extend) a Parser with the CycloneDX parser and then all the CycloneDX bits are added to the individual parsers. This means that, right now, when parsing a CycloneDX file, there's a bunch of matching plartforms that are totally blank.
johnbintz-tidelift
commented
2 years ago @havocp I rearranged a bunch of furniture to help me understand the data flows, renamed a bunch of things for improved consistency, and implemented caching within Bibliothecary::Runner.
johnbintz-tidelift
commented
2 years ago I see what's going on with the pom stuff. There's a parsing method that's doing double duty (acting as a target for parse_file and also being called by something else) and the something else is adding the parent properties. I'll get that cleaned up.
johnbintz-tidelift
commented
2 years ago OK I found this: https://github.com/librariesio/libraries.io/blob/e970925aade2596a03268b6e1be785eba8502c62/app/models/package_manager/maven.rb#L129
A direct call to parse_pom_manifest in Libraries. I'll shuffle some things around to make sure Libraries won't break when I update this.
I ran the new code against these sets of SBOMs and everything appeared to parse correctly, or at least parsed without error: