Have a flag to generate a single BOM despite multiple package managers

opensbom-generator / spdx-sbom-generator

Support CI generation of SBOMs via golang tooling.

407 stars 110 forks source link

Have a flag to generate a single BOM despite multiple package managers #270

Open sbs2001 opened 2 years ago

sbs2001 commented 2 years ago

Currently the tool generates BOM file for each detected package manager like bom-go-mod.spdx, bom-yarn.spdx etc.

On addition of this flag, say --merge, the tool shall produce only a output file.

This will make it easier for other tools to leverage this tool.

sbs2001 commented 2 years ago

I guess for https://github.com/opensbom-generator/spdx-sbom-generator/issues/263 , it makes sense to address this issue first ? wdyt @nishakm ? Let me know if the approach is good, I'll make a PR.

nishakm commented 2 years ago

I think the original idea was to generate the SBOM based on what packaging ecosystem the top level project is using. However, I can see a situation where multiple languages are used. I would first figure out how to provide a list of package managers and then generate a BOM containing all of it. Does this make sense?

sbs2001 commented 2 years ago

@nishakm yes indeed. That’ll be a good starting point.