Import CycloneDx request from sFractal #3
Assignees
Comments
|
Hi Duncan, Thanks for creating this. I know you had asked for it I had dropped the ball! Can you provide samples apart from what I generate so I can have a wider corpus to test import of CycloneDx. CylconeDX JSON and XML if possible for each scenario below will be helpful
Thanks |
|
https://cyclonedx.org/#example-sbom has an example in both xml and JSON. There is a multilevel example at https://cyclonedx.org/ext/dependency-graph/. There are a bunch of other examples on that website. You might also want to look at https://github.com/CycloneDX/gh-node-module-generatebom.
iPhone, iTypo, iApologize
…________________________________
From: Vijay Sarvepalli <notifications@github.com>
Sent: Sunday, September 20, 2020 12:35:27 PM
To: CERTCC/SBOM <SBOM@noreply.github.com>
Cc: duncan sfractal.com <duncan@sfractal.com>; Author <author@noreply.github.com>
Subject: Re: [CERTCC/SBOM] Import CycloneDx request from sFractal (#3)
Hi Duncan,
Thanks for creating this. I know you had asked for it I had dropped the ball! Can you provide samples apart from what I generate so I can have a wider corpus to test import of CycloneDx. CylconeDX JSON and XML if possible for each scenario below will be helpful
1. Simple SBOM with one product and two sub-components included in a single-tier relationship
2. SBOM with three or more levels of relationship between sub-components.
3. SBOM with an external relationship either embedded into one CycloneDX file or as two distinct CycloneDX files
Thanks
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#3 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AANEXD2GWRUSYSQWVBX7YCLSGYVM7ANCNFSM4RTT5SUQ>.
|
|
Hi Duncan, I have been running some sample parsers on CycloneDX. There are a number of challenges in reliably parsing CycloneDX both XML and JSON.
I am going to put this "on hold" for now, due to all these challenges. Vijay |
|
Thanks for trying.
So I understand – you can still output CycloneDX xml & json but you can’t accept external input due to parsing issues. Correct?
Duncan Sparrell
sFractal Consulting LLC
iPhone, iTypo, iApologize
I welcome VSRE emails. Learn more at http://vsre.info/
From: GitHub <notifications@github.com>
Reply-To: CERTCC/SBOM <reply@reply.github.com>
Date: Thursday, September 24, 2020 at 11:51 AM
To: CERTCC/SBOM <SBOM@noreply.github.com>
Cc: "duncan@sfractal.com" <duncan@sfractal.com>, Author <author@noreply.github.com>
Subject: Re: [CERTCC/SBOM] Import CycloneDx request from sFractal (#3)
Hi Duncan,
I have been running some sample parsers on CycloneDX. There are a number of challenges in reliably parsing CycloneDX both XML and JSON.
1. There are too many options for the same information - like vendor/supplier/manufacture/publisher these are not tags but distinct fields making it sort of difficult to look for both or either or
2. The XML and JSON parsers with verification to the XML Namespace and JSON Schema require a number of schema information downloaded and then loaded in memory. This opens so many other issues like performance, cross-site security, unparseable errors.
I am going to put this "on hold" for now, due to all these challenges.
Vijay
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub<#3 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AANEXD2GI4B3323IRGJQF5DSHNTI7ANCNFSM4RTT5SUQ>.
|
|
Yes, Vijay |
|
Cyclone DX JSON is available for output now. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Many build tools create CycloneDx SBOMs. Having import-CycloneDx button (similar to import-spdx and import-excel) would save me typing them into form or making fake SBoM and using hierarchy features.
The text was updated successfully, but these errors were encountered: