-
-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate SBOMs for publicly available packages #1508
base: master
Are you sure you want to change the base?
Conversation
Signed-off-by: Yadhu Krishna M <[email protected]>
Signed-off-by: Yadhu Krishna M <[email protected]>
Signed-off-by: Yadhu Krishna M <[email protected]>
Signed-off-by: Yadhu Krishna M <[email protected]>
Signed-off-by: Yadhu Krishna M <[email protected]>
Signed-off-by: Yadhu Krishna M <[email protected]>
f0141f8
to
0da5182
Compare
import { existsSync, mkdtempSync, writeFileSync } from "node:fs"; | ||
import { tmpdir } from 'os'; | ||
import { join } from 'path'; | ||
import fetch from 'node-fetch'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we use got instead of node-fetch?
@@ -315,6 +316,10 @@ const args = yargs(hideBin(process.argv)) | |||
"filename", | |||
], | |||
}) | |||
.option("inspect-purl", { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we can remove this option and make it automatic based on filePath?
process.exit(1); | ||
} | ||
|
||
filePath = dirname(pomPath); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We may have to do some post-processing to set a property or an evidence to the original purl that led to an sbom?
@yadhukrishnam Shall we meet online in the new year and resume the discussion for this feature for 11.1.x? My email is prabhu at appthreat dot dev. Happy Holidays! |
I have a use case to generate SBOMs for any publicly available packages. Would love to see this feature in cdxgen!
For now, I have implemented this just for maven central.