-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
2nd tier sbom #39
Comments
Confirm that the current implementation can do 2nd tier for bot npm and hex packages |
Confirmed! the boms generated contain 2nd tier deps for hex packages, the npm specified deps don't have 2nd tier deps (confirmed here), this is both in xml and json outputs. |
The link you provided https://www.npmjs.com/package/package, leads to a totally different package. |
@sigu under that link when you look at the dependencies tab, you'll find that the core dependencies used under npm have no 2nd tier dependencies. Let me know if this makes sense. |
Not really making sense. Let me attempt to explain what I understand by 2nd tier dependency. Have a look at a dependency called This is one dependency that has other dependencies too The dependencies listed above are considered 2nd tier dependencies (our dependency has them as a dependency) |
I will generate a new bom file for the npm deps including the devdeps and then give an update on whether the 2nd tier is catered for. Thank you for flagging this. |
looking at first hop cyclonedx json sbom determine what is missing (from hex sbom or from manually looking at dependencies and/or build logs) and either add or make a subtending sbom.
Use https://sbom.democert.org/sbom/ to manually make sboms for 2nd tier (unless using hex sbom is easier but issue is json vs xml and hex sbom doesn't support cyclonedx with relationships and with json)
The text was updated successfully, but these errors were encountered: