search

microsoft / sbom-tool

The SBOM tool is a highly scalable and enterprise ready tool to create SPDX 2.2 compatible SBOMs for any variety of artifacts.
MIT License
1.57k stars 123 forks source link

Question: When using Self-provided data-based SBOM generator API, how does one introduce relationships? #688

Closed vichor closed 2 weeks ago

vichor commented 3 weeks ago

Sorry if this is not the way to get support, but I saw another post sending a question and I don't know where to discuss this other than here. I will gladly accept a location to do so, if this is not the proper place.

My question: I’m using the Self-provided data-based SBOM generator API to create SBOMs for embedded software products in a specific industry. It’s common to use third-party products in this industry, so these third parties must appear in the SBOM.

I am creating SbomFile, SbomPackage, and SBOMRelationship objects and then using generator.GenerateSbomAsync. However, this method only accepts a list of files and packages as input, not a list of relationships.

How can I ensure the generator takes the relationships into account?

DaveTryon commented 2 weeks ago

Hi, @vichor!

This functionality does not exist, making this a feature request. Our team is currently prioritizing other work and will not be able to add this anytime in the near future. I'm closing this out as not planned.