Comments (8)
mcombuechen
commented on July 28, 2024
Hey @garethr
happy to take a stab at this. I think we need a sort of strategy pattern solution that invokes different code based on whether handling CycloneDX or SPDX.
Some questions:
- Are the contents of
libintended to be used by 3rd party tools outside of parlay? (I think this would be great, maybe we rename the directory topkgto make it more Golang idiomatic) - The
enrichinterface (enrichSBOMfunctions inlibthat is) is currently bytes in, bytes out, which is a pleasant UX. However, it would require us to apply brute force to understand the given SBOM in a sea of possible permutations (CycloneDX? SPDX? Schema version? XML? JSON? YAML? Text?). Should the interface change to require the SBOM schema, or do we want to invest in a brute force solution?
from parlay.
garethr
commented on July 28, 2024
Good questions:
- Yes, I think we should formalise a library interface, and make the package names more idiomatic. Parlay could be used by SBOM generation tools to just do the enrichment at the same time as build. Have a tracking issue for that #10.
- I've though about it only in passing, pros and cons to both. I'm not strongly opinionated in theory. I think it's a case of writing some code and one approach hopefully feeling more pleasant. Maybe a slight bias towards an explicit interface?
from parlay.
goneall
commented on July 28, 2024
Not being a Go programmer myself, I won't be able to contribute code - but I can point you to some libraries supported by the SPDX community that may be helpful. My apologies if this is already known info.
- tools-golang - Includes a library that can read/write SPDX documents
- SPDX JSON Schema
- cdx2spdx - Java utility that converts CycloneDX to SPDX - might be useful to understand how to translates different fields
Ping me if you have any SPDX questions and I'd be glad to help.
from parlay.
mcombuechen
commented on July 28, 2024
Draft PR open here: #20
from parlay.
mcombuechen
commented on July 28, 2024
@garethr I had a play with the brute-force idea in this draft PR. It lead me to believe that we need to extend the interface beyond just bytes and ask consumers to specify the given format, I see too many cons otherwise. WDYT?
from parlay.
goneall
commented on July 28, 2024
I had a play with the brute-force idea #20. It lead me to believe that we need to extend the interface beyond just bytes and ask consumers to specify the given format, I see too many cons otherwise. WDYT?
@garethr I tend to agree with @mcombuechen - the brute force could be problematic.
from parlay.
mcombuechen
commented on July 28, 2024
@garethr Should we close this issue?
from parlay.
garethr
commented on July 28, 2024
Now shipped in v0.2.0
from parlay.
Related Issues (20)
- Should enrichment modify or add to the tools noted in the SBOM HOT 3
- Unable to install HOT 1
- Debug messages HOT 1
- Add a mechanism to get the version on the CLI HOT 1
- Add Snyk Advisor external reference links in the Snyk enricher
- Add Snyk Vulnerability DB external reference links in the Snyk enricher
- snyk enrich doesn't return vulnerabilities HOT 3
- operation system package don't work HOT 3
- Add support for github purl-type HOT 1
- Error when try to scan .xml SBOM HOT 1
- PURLs not resolving properly when enriching a CycloneDX SBOM with ecosyste.ms HOT 1
- Snyk enrichement returns null always
- Snyk package and enrichment command runtime error on Windows HOT 2
- Snyk enrich is looking up user info per package
- Snyk cmd missing debug output
- getSnykOrg does not error on non-200 responses
- No error message for invalid token for snyk enrich and package HOT 2
- Support for CycloneDX 1.5 HOT 1
- No information found for components with a group HOT 4
- No enrichment for nested components in CycloneDX HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from parlay.