Make CycloneDX / SPDX SBOMs "first class" input to ORT #9878
Labels
analyzer
About the analyzer tool
cli
About the Command Line Interface
new feature
Issues that are considered to be new features
Comments
sschuberth
added
analyzer
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As discussed in one of the community meetings, more and more suppliers already do generate SBOMs (of varying quality). For cases where such SBOMs should be aggregated / processed further, it would be nice if ORT could use them straight as input.
In contrast to the current SpdxDocumentFile "fake" package manager, whose use-case was more to describe projects in the code base that are not managed by a package manager, this is about accepting SBOM input from any location, not limited to files committed to the project's repository.
Maybe separate CLI sub-commands to convert SBOMs to ORT analyzer results could be developed. As SBOMs can describe packages from pretty much any ecosystem, but on the other hand often lack the level of detailed metadata that ORT's data model requires, a pure conversion would likely not be enough, but also SBOM data needs to be enriched. This enrichment should happen through the same mechanisms that ORT's individual package manager implementations use. Which in turn probably requires some refactoring to make the enrichment functions available also outside of the context of the corresponding package manager implementation.
The text was updated successfully, but these errors were encountered: