Skip to content

Support CycloneDX #3

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
xaker00 wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Support CycloneDX #3

xaker00 wants to merge 4 commits into from

Conversation

@xaker00
Copy link
Member

@xaker00 xaker00 commented Oct 1, 2025

  • create pydantic models for CycloneDX v1.6 and SPDX v2.3
  • use uv for running without venv
  • remove outdated test file

UV is not required, but recommended. Versions in the requirements.txt are known to work.

@xaker00
Support CycloneDX
80c516e 
- create pydantic models for CycloneDX v1.6 and SPDX v2.3
- use uv for running without venv
- remove outdated test file

UV is not required, but recommended. Versions in the requirements.txt are known to work.
@xaker00 xaker00 requested a review from Copilot October 1, 2025 18:36
Copilot AI reviewed Oct 1, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds CycloneDX (v1.6) support alongside existing SPDX (v2.3) by introducing Pydantic models and refactoring SBOM parsing and merging logic. Also updates usage instructions to optionally run via uv and removes an outdated test file.

  • Introduces typed models for SPDX and CycloneDX and unified FDARecord export format
  • Refactors merge/dedup logic (list-based FDARecord processing) and Excel export
  • Removes prior merge test; README updated with supported formats and uv usage

Reviewed Changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 5 comments.

File Description
gen_sbom.py Major refactor: adds data models, new merge/deduplicate logic, Excel export rewrite, CycloneDX support
README.md Documents supported formats and uv-based execution
test_gen_sbom.py Removed legacy merge test (no replacement added)

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@xaker00 xaker00 requested a review from Copilot October 1, 2025 19:08
Copilot AI reviewed Oct 1, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Copilot reviewed 3 out of 4 changed files in this pull request and generated 3 comments.

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

@xaker00
Cleanup
7c91e20 
- use `packaging.version` to compare versions
- minor fixes
@xaker00 xaker00 force-pushed the feat/process-cyclonedx branch from dfb4631 to 7c91e20 Compare October 1, 2025 19:21
@xaker00
Special handling of vcpkg SBOMs
f61d236 
VCPKG is in the process of better supporting SBOMs. In the meantime,
this is the next best solution. This allows mapping the packages to CPE
strings. There is a manual map in vcpkg.yml. Not very nice, but better
than nothing.
@xaker00
Simple script to find CVEs for each CPE in SBOM
c38d7af 
Mostly AI generated. Trivy and Syft/Grype are better tools. Use this
only as a last resort. There is a reason there are entire projects and
paid products exist solve this problem. It is not trivial. You
can get around 80% with this tool, but the last 20% is very difficult.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@xaker00