Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for multiple bom files generation #1466

Open
prabhu opened this issue Nov 20, 2024 · 0 comments
Open

Support for multiple bom files generation #1466

prabhu opened this issue Nov 20, 2024 · 0 comments
Labels
Consider Funding

Comments

@prabhu
Copy link
Collaborator

prabhu commented Nov 20, 2024
edited
Loading

cdxgen could support generating multiple BOM files for a given project. We can support few styles of splitting and implement it as a postgen step.

Having such more granular representation for the ingredients of a digital product would help tiny ML models (~ 1M tokens) and tools like depscan v7, understand the composition layers better for deeper analysis. It would be super cool to have dependency-track support multiple bom file uploads per project too.

Splitting strategies

  • By BOM type (OBOM, SaaSBOM, CBOM)
  • By purl package type
  • By lifecycle phase
  • By analysis technique

We then need the following things:

  • --out-dir argument to accept a directory, since the current output argument is a file.
  • A naming strategy for the generated files, since the current default is bom.json.
  • An index sbom file to link all generated bom files using externalReferences.
  • Enhance the automatic composition logic to indicate that each bom file is incomplete.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Consider Funding
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@prabhu