Fallback on 'cdx' or 'bom' JSON files for Java BOM #1127
Conversation
Signed-off-by: nekhtan <129828933+nekhtan@users.noreply.github.com>
|
Thank you so much! Did the fix work as per your needs? |
Actually, no, I opened the PR too soon :( The filter seems a bit too wide: I have SBOM test files that match the new pattern and they are taken into account. The resulting SBOM is way too large and does not represent the reality (aggregates the project's BOM and the BOMs from tests). |
|
@nekhtan, may be use |
|
Alright I struggled a bit with the exclude but it finally does the job: Note that:
|
|
Could you test the exclude a bit more and contribute to the docs as well in a separate PR? |
|
I went all the way up to this line and it's still broken... Broken when using node directly: > node /c/<path>/cdxgen/bin/cdxgen.js --no-recurse --exclude="**/src/test/**/*.json"
process.argv [
...,
'--exclude=**C:/dev/PortableGit/src/test/**/*.json'
]Working when using node from the result of > C:/<path>/bin/node /c/<path>/cdxgen/bin/cdxgen.js --no-recurse --exclude="**/src/test/**/*.json"
process.argv [
...,
'--exclude=**/src/test/**/*.json'
] |
|
ok, let's look into the exclude issue separately. Do we need the |
|
For my own need, it seems to work just fine with the exclusion, so as far as I'm concerned the PR is ok. Regarding the general behaviour, I dont think it would be wise to replace the current pattern with a completely different one: it might break for other people, don't you think? The one you suggested doesn't break the current behavior, it just extends it, right? |
|
It's a good point, although we can never be sure with opensource, since every change could break something somewhere. I think we can add the target prefix, since that code shouldn't pick up any other sbom file. Could you kindly make this change? |
Signed-off-by: nekhtan <129828933+nekhtan@users.noreply.github.com>
Updated the fallback lookup of BOM files to find JSON files that either contain "bom" or "cdx" in their filename.
Linked to #1126