Import SBOM
https://pkg.go.dev/github.com/ibm/sbom-utility
github.com/anchore/syft/syft/formats looks like a better fit -
package main
import (
"fmt"
"log"
"os"
"github.com/anchore/syft/syft/formats"
)
func main() {
if len(os.Args) != 2 {
log.Fatal("Need an argument")
}
f, err := os.Open(os.Args[1])
if err != nil {
log.Fatal(err)
}
sbom, format, err := formats.Decode(f)
if err != nil {
log.Fatal(err)
}
fmt.Printf("sbom: %v\n", sbom)
fmt.Printf("format: %v\n", format)
fmt.Printf("sbom.AllCoordinates(): %v\n", sbom.AllCoordinates())
fmt.Printf("sbom.Descriptor: %#v\n", sbom.Descriptor)
fmt.Printf("sbom.Relationships: %v\n", sbom.Relationships)
fmt.Printf("sbom.Source: %#v\n", sbom.Source)
// fmt.Printf("sbom.Artifacts: %v\n", sbom.Artifacts)
//
// fmt.Printf("sbom.Artifacts.PackageCatalog: %v\n", sbom.Artifacts.PackageCatalog)
if sbom.Artifacts.PackageCatalog != nil {
pkgs := sbom.Artifacts.PackageCatalog.Sorted()
for i, p := range pkgs {
fmt.Println(i, p)
fmt.Printf("p.Language: %v\n", p.Language)
if i > 10 {
break
}
}
}
}
type Row struct {
}https://github.blog/changelog/2023-03-28-generate-an-sbom-from-the-dependency-graph
But we'll need more info retrieving the organisation and repository if those are even still valid? Would break the domain model expecting them there
Edited by Jamie Tanna