You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
instead of responding with base64-encoded xml, instead respond with json.
the command right now only allows for one type of cyclonedx. Proposal is to allow for two types, xml and json. Use "cyclonedx" for xml and "cyclonedj" for json. The cyclonedj option should replace the cyclonedx option as the only one responded to. Adding xml as a second choice could be a subsequent task
the sbom should not be hardcoded. It should be retrieved from a file. Initially the file could be 'hardcoded' into the src (requiring developers to remember to update) but eventually ideally it should be in a known location and retrieved as part of build process
Step 1 - leaving control structure alone (ie still "cyclonedx" not "clyclonedj") replace line 93 with something retrieves a json file and inserts the sbom json "inside" the response json. To begin with file can be anywhere convenient and for now can just be any old jsom sbom file
Step 2 - once #63 is complete and creating json sboms are part of build process, modify what was done in step 1 to retrieve the actual sbom for this repo
Step 3 - once step 2 works, look to modifying control flow to operate correctly. Openc2 query-sbom command has parameter which lists the priority order of formats (e.g. ["spdx", "cyclonedj", "cyclonedx", "swid"] means return spdx if you have it and if don't return cyclonedj and if you don't then return cyclonedx and if you don't then return swid). Right now it only looks for "cyclonedx". Change it so it looks whereever previous bullet implemented for what formats it has (eg. it might have cyclonedj and cyclonedx) and returns best choice based on what was requested (in this example cyclonedj). Allow for developer manually putting in spdx or swid formatted files in that directory. cyclonedx and cyclonedj should be created by build tools in previous bullet. For cyclondj - return sbom json embedded in response json. For spdx, cyclonedx, swid the response needs to be base64 encoded
The text was updated successfully, but these errors were encountered:
Twinklymaha responds to the openc2 query-sbom command with a hardcoded response of a previously created sbom.
The response is a base64-encoded cyclonedx xml sbom.
The code which does this is around line 93 of https://github.com/sparrell/TwinklyMaHa/blob/main/lib/Oc2/do_query_sbom.ex.
There are several issues that need correcting:
Step 1 - leaving control structure alone (ie still "cyclonedx" not "clyclonedj") replace line 93 with something retrieves a json file and inserts the sbom json "inside" the response json. To begin with file can be anywhere convenient and for now can just be any old jsom sbom file
Step 2 - once #63 is complete and creating json sboms are part of build process, modify what was done in step 1 to retrieve the actual sbom for this repo
Step 3 - once step 2 works, look to modifying control flow to operate correctly. Openc2 query-sbom command has parameter which lists the priority order of formats (e.g. ["spdx", "cyclonedj", "cyclonedx", "swid"] means return spdx if you have it and if don't return cyclonedj and if you don't then return cyclonedx and if you don't then return swid). Right now it only looks for "cyclonedx". Change it so it looks whereever previous bullet implemented for what formats it has (eg. it might have cyclonedj and cyclonedx) and returns best choice based on what was requested (in this example cyclonedj). Allow for developer manually putting in spdx or swid formatted files in that directory. cyclonedx and cyclonedj should be created by build tools in previous bullet. For cyclondj - return sbom json embedded in response json. For spdx, cyclonedx, swid the response needs to be base64 encoded
The text was updated successfully, but these errors were encountered: