protobom / sbom-convert

Example CLI project to demo API architecture and protobom library
Apache License 2.0
18 stars 8 forks source link

Demo CLI tool lossless info. #2

Closed houdini91 closed 1 year ago

houdini91 commented 1 year ago

In the meeting (26.7) we talked about demoing the translation between spdx-cdx then cdx-spdx, and then talk about the information we lose.

CLI demo script, for example for nginx file.

go-cli ../protobom/examples/nginx.spdx.json -f cyclonedx -o ../protobom/examples_rd1/nginx.cdx.json

go-cli ../protobom/examples_rd1/nginx.cdx.json -f spdx -o ../protobom/examples_rd2/nginx.spdx.json

Results

I not sure how to attach the SBOMs files i send the zip in the slack for now.

I took a look the diff, its very hard to see if we don't use some ordering logic or smart SBOM diff viewer (any suggestion)? @puerco

bulid the CLI

git clone git@github.com:scribe-security/go-cli.git
cd go-cli
git checkout suggestion/basecli
make binary

Binary will under ./snapshot dir in the repo working dir.

veramine commented 1 year ago

Awesome i'll try this out thanks

puerco commented 1 year ago

I took a look the diff, its very hard to see if we don't use some ordering logic or smart SBOM diff viewer

As i mentioned in the meeting I'm working on some features planned for the conformance tests that can help us do that smart SBOM diff viewer. Unfortunately, I had not planned on this and I'll be off the grid the next few days. I will try to get something going but I'm out on the countryside and will have limited power, network, etc.

To showcase differences when converting and roundtripping we need a tool like that. A simple diff won;t do.

jspeed-meyers commented 1 year ago

Wouldn't https://github.com/kubernetes-sigs/bom help some here?

puerco commented 1 year ago

Yes! We could use bom for SPDX files (or, even better, now bombshell for both) to query the sbom and compare data. I think I would like to get the conformance tests in a better shape because those will be the ones backing our claims where data gets lost or not.

jspeed-meyers commented 1 year ago

https://github.com/chainguard-dev/bomshell for reference.

houdini91 commented 1 year ago

I trying to script the demo but can't get the shorting right yet.. examples_short.zip

Using a online site to short alphanumerically and comparing the docs found some interesting details.. https://novicelab.org/jsonabc/

Screenshot from 2023-07-27 10-30-20 Screenshot from 2023-07-27 10-30-04 Screenshot from 2023-07-27 10-29-35 Screenshot from 2023-07-27 10-27-25 Screenshot from 2023-07-27 10-26-23

houdini91 commented 1 year ago

Script demo PR - https://github.com/scribe-security/go-cli/pull/1

houdini91 commented 1 year ago

Screenshot from 2023-07-27 12-43-04 ne.

This one is interesting because there is a key filesAnalyzed changed from true to false

houdini91 commented 1 year ago

@jspeed-meyers @puerco Can we close this issue it was only used to communicate about the demo

jspeed-meyers commented 1 year ago

@houdini91: Sounds good! I'll close this now. TY!