nishakm
commented
1 year ago Here are some proposals:
- Each package manager maintains its own data model and reader
- Each package manager has a reader that will return a built-in object, maybe a map
- We update the meta package to include fields common to all the package managers, and allow for each manager to extend it. I'm personally not sure how to implement this in Go :)
The data model for the OpenSBOM parsers is broken If you have a project with more than one top-level module/package, it cannot be represented in the current model :(
Say for example this one: https://github.com/rust-secure-code/cargo-geiger/blob/master/Cargo.toml
I don't know if we can fix this with the current model, it will require a v2 API.