Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Expose merging SBOMs #9

Open
sambhav opened this issue Oct 5, 2021 · 4 comments
Open

Expose merging SBOMs #9

sambhav opened this issue Oct 5, 2021 · 4 comments
Assignees
Labels
enhancement New feature or request
Milestone

Comments

@sambhav
Copy link
Member

sambhav commented Oct 5, 2021

Hello 👋 we are starting the work on integrating cyclonedx in buildpacks. As a part of this work, we need to be able to merge cyclonedx SBOMs provided by various buildpacks involved in the build process through our go based binary called the lifecycle. We were hoping for the behavior exposed by the cyclonedx CLI to be available via a go library. Would it be possible to add this as an enhancement?

@nscuro nscuro added the enhancement New feature or request label Oct 5, 2021
@nscuro nscuro added this to the v0.5.0 milestone Oct 6, 2021
@nscuro
Copy link
Member

nscuro commented Oct 8, 2021

Note to self: Merging as performed by the CLI is implemented here in the .NET library: https://github.com/CycloneDX/cyclonedx-dotnet-library/blob/main/src/CycloneDX.Utils/Merge.cs

@coderpatros
Copy link
Member

Don't be limited by what I managed to implement for merging in the CLI tool. It still requires some work. Especially around the flat merging approach. i.e. it doesn't handle dependency graphs. But from memory the hierarchical merging was reasonably feature complete.

@nscuro
Copy link
Member

nscuro commented Oct 16, 2021

Yeah, there are a few other points I'd like to address with flat merging. Like deduplication of components and services, rewiring of the dependency graph etc. I've used a merging library for the initial implementation, but that may not be the best idea after all. Will need to do a bit more research here.

@nscuro nscuro modified the milestones: v0.5.0, v0.6.0 Feb 4, 2022
@nscuro nscuro modified the milestones: v0.6.0, v0.7.0 May 20, 2022
@ribbybibby
Copy link

This would be really great to see. I'm working with CycloneDX in Go and my options for merging at the moment are:

  1. Implement this myself
  2. Exec out to the cyclonedx CLI.

Neither are very appealing!

@nscuro nscuro modified the milestones: v0.7.0, v0.8.0 Sep 28, 2022
@nscuro nscuro modified the milestones: v0.8.0, v1.0.0 Dec 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

4 participants