Include packages in application SBOM #85
Labels
enhancement
New feature or request
Milestone
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
By using
go list, we get to know which packages are actually used, but we currently don't include this information in the SBOM.Using the info we already have, we can construct a structure according to
modules > packages > files, for example:{ "bom-ref": "pkg:golang/github.com/ProtonMail/[email protected]", "type": "library", "name": "github.com/ProtonMail/go-crypto", "version": "v0.0.0-20210428141323-04723f9f07d7", "scope": "required", "hashes": [ { "alg": "SHA-256", "content": "62825b7a72bd0baed29339037e642e5659f4e328078f7be365f77d14bf869904" } ], "purl": "pkg:golang/github.com/ProtonMail/[email protected]", "components": [ { "bom-ref": "pkg:golang/github.com/ProtonMail/go-crypto#[email protected]", "type": "library", "name": "bitcurves", "version": "v0.0.0-20210428141323-04723f9f07d7", "scope": "required", "purl": "pkg:golang/github.com/ProtonMail/go-crypto#[email protected]", "components": [ { "type": "file", "name": "bitcurve.go", "version": "v0.0.0-2472c8e5f796", "scope": "required", "hashes": [ { "alg": "MD5", "content": "b4689d8871aa46bb387ef148944f8da8" }, { "alg": "SHA-1", "content": "2472c8e5f796d8463738938fea98398dabba08ad" } // ... ] } ] } ] }Including the packages should probably be enabled per default, but including individual files should still be optional.
The text was updated successfully, but these errors were encountered: