-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[feature] Improve CDX parsing #1884
Comments
Hey @pxp928, I would like to work on this. Just wanted to ask here how we use the direct dependencies that we get from *c.cdxBom.Dependencies? |
Hey @Yaxhveer! So It should be Let me know if you have other questions! Looking forward to the contribution :) |
Hey @pxp928, just a simple doubt here the dependency type is between top level and foundPkg or between foundPkg and DepPkg (in func GetIsDep()) guac/pkg/ingestor/parser/common/helpers.go Lines 49 to 56 in 4dc7c94
|
Based off this CycloneDX/specification#33 (comment) it can be both. So if guac/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go Lines 285 to 309 in 4dc7c94
In that case you will have to remove this lines:
as we dont want to skip. If |
Thanks just wanted to confirm that. |
Is your feature request related to a problem? Please describe.
Currently, the CDX parser appends all dependencies to the top level package which may be inaccurate:
https://github.com/guacsec/guac/blob/main/pkg/ingestor/parser/cyclonedx/parser_cyclonedx.go#L243-L262
Instead, this needs to be done based on the relationships defined by the CDX SBOM.
Describe the solution you'd like
see CycloneDX/specification#33
Describe alternatives you've considered
None
The text was updated successfully, but these errors were encountered: