Part of the FOSSer CLI Tool Series to generate full documentation of the SBOM
This part is responsible to generate a common dependency list out of a SBOM
generated by Tooling.
- Convert Syft json output
- set TopLevel Dependencies for npm packages
- sorts and maps packages by language for easier processing
- adding a variety of SBOM Tools as compatibility
After building the Go Application it can be used like the following
fosser_toolconverter [Path/To/SBOM] [Path/For/Output] (optional) --npm [Path/To/Package.json]
Because most SBOM Tools can only read the package-lock.json, which contains often more than 800 packages down to the deepest child dependency, one can add the npm flag with the path to the package.json. The tool will then read the dependencies from there and mark them in the output file
The Tool outputs a dependency.json file with the following structure:
type SBOM struct {
ProjectName string
Languages []string
Dependencies map[string][]Dependency
}
type Dependency struct {
ID string
ImportName string
Version string
Licenses []string
Language string
TopLevel bool
}
ID
Hash value of the package
ImportName
The Name that is given by the sbom tool
Version
The exact Version of the package that is used
Licenses
An Array of all licenses the package uses
Language
The Language the package is from
TopLevel
Important for npm and Docker
foss_toolconverter
┣ cmd
┃ ┗ rootCmd.go
┣ internal
┃ ┣ models
┃ ┃ ┗ dependency.go
┃ ┣ manager.go
┃ ┣ packageJson.go
┃ ┗ syft_convert.go
┣ .gitignore
┣ go.mod
┣ go.sum
┗ main.go