draft: wip: feat: compare SBOMs and show components only present in target SBOM #121
Conversation
baprusty
force-pushed
the
bp/compare-sboms
branch
from
916829c to
3f61201
Compare
| """ | ||
| if "spdxVersion" in data: | ||
| return "spdx" | ||
| if data.get("bomFormat", "").lower() == "cyclonedx": |
There was a problem hiding this comment.
Please use the constants we provide to define the format.
|
|
||
|
|
||
| @classmethod | ||
| def load_spdx_sbom(cls, path): |
There was a problem hiding this comment.
Please put this behind a factory and add the concrete implementations into compare/spdx.py and compare/cdx.py.
| @classmethod | ||
| def load_spdx_sbom(cls, path): | ||
| """Return packages keyed by purl or fallback name@version.""" | ||
| with open(path) as f: |
There was a problem hiding this comment.
The bomreader class should already provide the infrastructure to read SBOMs. By that, probably all type-specific sbom loading can be avoided.
|
|
||
|
|
||
| @classmethod | ||
| def build_extra_cdx(cls, extra_components, new_metadata=None): |
There was a problem hiding this comment.
Please use the bomwriter logic to re-create an sbom.
|
|
||
|
|
||
| @classmethod | ||
| def compare_items(cls, base_sbom_comp, target_sbom_comp, key_name): |
There was a problem hiding this comment.
Don't we already have a similar infrastructure in merge?
| help="Path or URL to the target (new) SBOM file" | ||
| ) | ||
|
|
||
| parser.add_argument( |
There was a problem hiding this comment.
Please support the unified output (e.g. file or stdout), similar to the other output options. Please also consider to make it an optional positional argument instead of an option.
The same applies to the input options.
Signed-off-by: badrikesh prusty <[email protected]>
baprusty
force-pushed
the
bp/compare-sboms
branch
from
3f61201 to
2b8e2c1
Compare
2 participants
This is currently a work in progress. I’ll provide an update once it’s completed.