search

snyk / parlay

Enrich SBOMs with data from third party services
Apache License 2.0
123 stars 19 forks source link

feat: add SPDX support to scorecard #28

Closed mcombuechen closed 1 year ago

mcombuechen commented 1 year ago

This adds SPDX support to the parlay scorecard enrich command. Logic is pretty much the same as it is for CycloneDX, just using a few early returns instead of nested ifs.

I tried to see if we could improve perf by making a HEAD request to the Scorecard API; which they unfortunately don’t support…

$ parlay scorecard enrich testing/sbom.spdx-2.3.json | jq ".packages[1]"
{
  "name": "debug",
  "SPDXID": "SPDXRef-2-debug-1.0.5",
  "versionInfo": "1.0.5",
  "downloadLocation": "NOASSERTION",
  "filesAnalyzed": true,
  "copyrightText": "NOASSERTION",
  "externalRefs": [
    {
      "referenceCategory": "PACKAGE-MANAGER",
      "referenceType": "purl",
      "referenceLocator": "pkg:npm/debug@1.0.5"
    },
    {
      "referenceCategory": "OTHER",
      "referenceType": "openssfscorecard",
      "referenceLocator": "https://api.securityscorecards.dev/projects/github.com/debug-js/debug"
    }
  ]
}

Once this is merged, I’d like to have a stab at refactoring all the sizedwaitgroup repetition.

mcombuechen commented 1 year ago

Closes #3

garethr commented 1 year ago

Yeah, I looked into the HEAD request. Need to open an issue on the scorecard project. Looks good 👍