softwaredesignlab / sbom-in-a-box Goto Github PK
View Code? Open in Web Editor NEWSBOM-in-a-Box is a unified platform to promote the production, consumption, and utilization of Software Bills of Materials.
License: MIT License
SBOM-in-a-Box is a unified platform to promote the production, consumption, and utilization of Software Bills of Materials.
License: MIT License
Description Here
Refactor Merger to completely accommodate for new internal SBOM changes.
The current Quality Report generates a massive JSON file of information. To reduce information overload, we can truncate the data that is returned based on parameters for the /qa
endpoint.
Description Here
Refactor Generators to match new internal SBOM changes.
Create the VEX factory.
- SBOM ID
- API Key
- OSV
- NVD
- OSV HTTP Client and API call (1)
- NVD HTTP Client and API call (1)
Misc.
Description:
if applicable
Expected Output:
Actual Output:
Link to Source Material (e.x. project github):
Relevant Screenshot(s):
The goal of this issue is to get the backend/API running on its own in a Docker container.
core
& api
packages and serve the API on port 8080.Use the respective component builder interfaces to create component builders.
Builders
Misc.
The current SPDX Metrics Processor in SoftwareDesignLab/SBOM-Plugfest#171 is partially complete, but is missing a few fields that need a more robust SBOM object before implementation.
See above screenshot for example. To replicate this, simply run all tests in GradleParserTest
. Some dependencies just do not exist on Sonatype. For example, the org.springframework.spring-oop
package has no results when searching Sonatype.
Two possible solutions - either avoid logging and just print a debug line saying no package found on Sonatype, or use a different repo??
Currently CDX translators extract metadata and application tools from SBOM. TranslatorSDPX.java should have the same functionality
TranslatorSPDX
extracts all metadata and tools and populates the SBOM metadata object.Create CDX1.4 JSON and SPDX2.3 JSON / Tag-Value serializers based on the UML specs.
Update UML architecture
SerializerFactory
Class
InvalidFormatException
Serializer
Abstract Class
CDX14JSONSerializer
ClassSPDX23JSONSerializer
ClassSPDX23TagValueSerializer
ClassSVIPSBOMJSONSerializer
Class~90% Code Coverage
Using the CDX1.4SBOMBUilder interface, create an object for the builder.
Class Features
Misc.
The BenchmarkParser currently performs an individual isInternalComponent()
by walking the filetree each time. Instead, we should build a live representation of the file-tree at program start once and query that instead of re-walking the tree over and over again
The backend will be replacing the current metrics endpoint to return a SBOM object instead with metrics integrated within it to account for both metadata and component testing.
SBOM currently stores Hash
object and should be storing strings instead. See SoftwareDesignLab/SBOM-Plugfest#139 for CPE
implementation and SoftwareDesignLab/SBOM-Plugfest#134 for PURL
implementation.
Hash
Object is refactored to function similar to PURL
and CPE
Objects
Hash
throws error if attempt to make an invalid Hash
objectCreate the SBOM Builder Factory interface and the respective SBOM Builder Factories.
Misc.
Create the initial interfaces for the Component Builders.
2.2: The system shall allow users to upload any SBOM, regardless of origin format
Instead of storing uploaded files in a HashMap
, we need to store them in a database server. This can be achieved by running a MySQL server in a separate Docker container and using the JPA
library to connect and execute transactions.
upload
, view
, & viewFiles
endpoints in #62.The current CDX Metrics Processor in SoftwareDesignLab/SBOM-Plugfest#170 is partially complete, but is missing a few fields that need a more robust SBOM object before implementation. See related #52
The current Uniqueness Processor
in SoftwareDesignLab/SBOM-Plugfest#134 is almost complete, but is missing a few fields that need a more robust SBOM object before implementation. See related #45
The CDX Metric Processor contains a test, hasBomRef, that checks that components have some form of identifier. TranslatorCDXJSON does have this in place (typically is the purl as the bom-ref), but TranslatorCDXXML does not.
While most bom-refs are just the component's purl, if it is a different value, our check would produce false results.
There are numerous fields required in a CycloneDX document that go beyond the minimum SBOM requirements. Having information from these fields and their required elements (listed below) would help create a more extensive and rigorous CDX Metrics Processor if a given SBOM includes these elements.
compositions:
externalReferences:
services:
dependencies:
The current Completeness Processor
in SoftwareDesignLab/SBOM-Plugfest#139 is almost complete, but is missing a few fields that need a more robust SBOM object before implementation
MinElementsTest
.Create an interface for the Component Builder Factory, then create the respective Component Builder Factory classes.
Misc.
Clean up and revise the current Metrics system, as well as refactor it to work with the new SBOM objects.
Unit Tests (~80 Coverage)
If you close the Electron instance too quickly on Mac, the backend will still build and remain running after close.
Add all relevant api/core constants (i.e. version numbers, etc.) to the .env
file instead of having them hardcoded. Also, find the best way to establish an "example" config so we don't have .env
files in the root of the repository.
.env
file.
.env
file.
.env.example
file and add .env
to the gitignore.This occurs in both JSON and XML. The import *
should be fixed in #7 eventually, but the import statements and carriage returns still occur in the name. This should not be the case.
Outdated references to building old SVIP that will need to be updated
Get upload
, view
, & viewFiles
endpoints implemented on the SVIP backend for front-end.
upload
SBOMFile
in the request body - fileName
& contents
value.view
viewFiles
delete
Create an SVIP SBOM builder using the CDX 1.4 and SPDX 2.3 SBOM Builder interfaces.
Class Features
Misc.
We shouldn't be storing user data in the VEXFactory. We should just use it to try can login to NVIP to get a new connection instance
Create the initial interfaces for the SBOM Builders.
2.2: The system shall allow users to upload any SBOM, regardless of origin format
Interfaces
Create an SPDX 2.3 SBOM builder using the SPDX 2.3 interface.
Class Features
Misc.
There is an edge case where nuget project configurations are formatted like this. I don't see a single instance apart from the Microsoft docs: https://learn.microsoft.com/en-us/nuget/reference/nuspec
At the moment NugetParser is unable to parse this format
When comparing two DependencyTree
s using their equals()
methods, only the component names are compared. This is because the current quick-and-dirty fix for comparing two DependencyTree
s uses simple string comparison to remove the need for UUIDs.
toString()
method in equals()
is mainly generated from the following method:dependencyMap
with an indented list of values. Currently, only the component names are compared and generated in the string
Snippets from CycloneDX JSON generator output from the Java test project:
Not sure why the first component doesn't have a filepath, this may be insightful as to why there are duplicates. As far as I know, no duplicate checker exists in either the generators or parsers. This should be added in ParserController
.
Create CDX1.4 JSON and SPDX2.3 JSON / Tag-Value DEserializers based on the UML specs.
Update UML architecture
SerializerFactory
Class
Deserializer
Abstract Class
CDX14JSONDeserializer
ClassSPDX23JSONDeserializer
ClassSPDX23TagValueDeserializer
Class~90% Code Coverage
Add the endpoint for report downloads.
Related issue: https://github.com/orgs/SoftwareDesignLab/projects/6/views/5?pane=issue&itemId=32511692
Currently, our translators only collect information on top-level components and no children. If we want to have more flexibility with our SBOMs and sub-dependencies in the future, we will need to collect this.
These are arbitrary, the only difference between these and the current tests in CycloneDXSerializerTest
are the amount of children.
The output after generating CDX JSON files from the SBOMs, translating them back in, and then comparing them:
Currently, the tests for generator serialization use multiple different instances of SBOM
s, most with one or two simple ParserComponent
s that only have a name attribute.
Create a static method somewhere that returns an SBOM
that has everything we want to test (licenses, file references, version, publisher, children of children, etc.) and use that to replace all test SBOM
instances in the generator tests.
At the moment, neither scrape publisher/contributor info. This can be done in PackageManagerParser.buildURLs
.dep files include both import library and import library.* statements.
Currently, we only have a translator for SPDX tag-value format (.spdx
). Our generator supports JSON, XML, & YAML as well, so these will need to be implemented at some point.
CycloneDXSerializerTest
for an example of how a file is generated and then translated back to test expected output.A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.