search

patriksvensson / covenant

A tool to generate SBOM (Software Bill of Material) from source code artifacts.
MIT License
60 stars 6 forks source link

Suggestion: Missing `project.assets.json` as warning instead of an error #7

Open afrischk opened 1 year ago

afrischk commented 1 year ago

I was looking for an alternative to https://github.com/microsoft/sbom-tool with CycloneDX support and came across this repo. Thanks for the tool! :-)

One suggestion though: The SBOM generation failed for me because I had no project.assets.json in one of my subprojects. As a result no SBOM was generated at all. My preference would be to see missing project.assets.json as an warning that does not prevent the generation of the SBOM.

https://github.com/patriksvensson/covenant/blob/0b5d76289c152af01a6d4ac50cad1954e873a701/src/Covenant/Cli/Generate/GenerateCommand.cs#L67

and

https://github.com/patriksvensson/covenant/blob/0b5d76289c152af01a6d4ac50cad1954e873a701/src/Covenant/Analysis/Dotnet/DotnetAnalyzer.cs#L214

What do you think?

patriksvensson commented 1 year ago

@afrischk I think that an error is the best way to go here. However, there really should be a way of saying "I don't care about this project" and exclude the project from the SBOM.