2nd tier sbom #39
Comments
sparrell
created this issue from a note
in CybersecurityAutomationWorkshop
(Next up - Sigu)
sigu
moved this from Next up - Sigu
to In progress - Sigu
in CybersecurityAutomationWorkshop
|
Confirm that the current implementation can do 2nd tier for bot npm and hex packages |
|
Confirmed! the boms generated contain 2nd tier deps for hex packages, the npm specified deps don't have 2nd tier deps (confirmed here), this is both in xml and json outputs. |
|
The link you provided https://www.npmjs.com/package/package, leads to a totally different package. |
|
@sigu under that link when you look at the dependencies tab, you'll find that the core dependencies used under npm have no 2nd tier dependencies. Let me know if this makes sense. |
|
Not really making sense. Let me attempt to explain what I understand by 2nd tier dependency. Have a look at a dependency called This is one dependency that has other dependencies too The dependencies listed above are considered 2nd tier dependencies (our dependency has them as a dependency) |
|
I will generate a new bom file for the npm deps including the devdeps and then give an update on whether the 2nd tier is catered for. Thank you for flagging this. |
looking at first hop cyclonedx json sbom determine what is missing (from hex sbom or from manually looking at dependencies and/or build logs) and either add or make a subtending sbom.
Use https://sbom.democert.org/sbom/ to manually make sboms for 2nd tier (unless using hex sbom is easier but issue is json vs xml and hex sbom doesn't support cyclonedx with relationships and with json)
The text was updated successfully, but these errors were encountered: