-
Jamie Tanna authored
As part of #21, we can add support for the parsing of SBOMs on the command-line through a new `import sbom` subcommand. Because the SBOM may not reliably tell us where it's come from (platform/org/repo-wise) we can require this on the command-line. Although it'd be good to use github.com/anchore/syft for the managing of parsing types of SBOMs, it's unfortunately blocked by [0], and is a fairly heavyweight library due to other functionality within it, which would bloat the project. Instead we can perform a lightweight version of the `formats.Identify` functionality to produce a consistent way to expand supported types of SBOMs. To start with, we can add support for SPDX-2.3 SBOMs. [0]: https://github.com/anchore/syft/issues/2112
Jamie Tanna authoredAs part of #21, we can add support for the parsing of SBOMs on the command-line through a new `import sbom` subcommand. Because the SBOM may not reliably tell us where it's come from (platform/org/repo-wise) we can require this on the command-line. Although it'd be good to use github.com/anchore/syft for the managing of parsing types of SBOMs, it's unfortunately blocked by [0], and is a fairly heavyweight library due to other functionality within it, which would bloat the project. Instead we can perform a lightweight version of the `formats.Identify` functionality to produce a consistent way to expand supported types of SBOMs. To start with, we can add support for SPDX-2.3 SBOMs. [0]: https://github.com/anchore/syft/issues/2112
Code owners
Assign users and groups as approvers for specific file changes. Learn more.