DependencyGraph.GetSBOM() missing important SBOM fields like relationship and package externalRefs #3581
Description
Hey,
I'm not sure if this is intentional or an oversight, but while using DependencyGraph.GetSBOM() function from the Github client:
go-github/github/dependency_graph.go
Line 67 in 718c304
I noticed that the returned SBOMInfo struct is missing important fields like relationship section completely and part of package information such as externalRefs. These are critical for understanding dependency relationships and for identifying known vulnerabilities using identifiers like PURL, CPE, or SWID.
Here’s how I’m calling it:
dependencyGraph, _, err := client.DependencyGraph.GetSBOM(ctx.Context, owner, repo)Here’s the SBOM I get from this function: https://gist.github.com/viveksahu26/de932a7a4dcc00c6337cec1f7c287b1a
However, when I fetch the SBOM directly using GitHub’s REST API as documented here: https://docs.github.com/en/rest/dependency-graph/sboms?apiVersion=2022-11-28#export-a-software-bill-of-materials-sbom-for-a-repository
I receive a complete SBOM with all the expected details, including relationships and externalRefs:
https://gist.github.com/viveksahu26/b9b53b236fcf9a248e8e4b27ad41f98f
It seems like go-github might be missing logic to fully parse or include these fields from the API response. Could this be looked into?
go-github/github/dependency_graph.go
Line 43 in 718c304
type SBOMInfo struct {
SPDXID *string `json:"SPDXID,omitempty"`
SPDXVersion *string `json:"spdxVersion,omitempty"`
CreationInfo *CreationInfo `json:"creationInfo,omitempty"`
// Repo name
Name *string `json:"name,omitempty"`
DataLicense *string `json:"dataLicense,omitempty"`
DocumentDescribes []string `json:"documentDescribes,omitempty"`
DocumentNamespace *string `json:"documentNamespace,omitempty"`
// List of packages dependencies
Packages []*RepoDependencies `json:"packages,omitempty"`
}