Documentation
¶
Overview ¶
Package sbom captures the internal data model of the SBOMs melange produces into a private, generalized bill of materials model (with relationship data) designed to be converted to specific formats — for now, just SPDX.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Document ¶ added in v0.14.0
type Document struct {
CreatedTime time.Time
Describes *Package
Packages []Package
// Relationships is a list of relationships between elements in the SBOM.
//
// We're using the SPDX relationship type for now out of convenience, but we can
// decouple this from our internal SBOM types later if it becomes valuable.
Relationships []spdx.Relationship
// LicensingInfos is a map of instances of the `Copyright.License` field in the
// described package's build configuration to the string content of the file
// from its corresponding `Copyright.LicensePath` field. It should be set by the
// consumer, using the value from calling `(config.Package).LicensingInfos` on
// the package being set as this document's described package.
LicensingInfos map[string]string
}
Document is a representation of an SBOM information provided by the build process. It is later converted to an SPDX document.
func NewDocument ¶ added in v0.14.0
func NewDocument() *Document
NewDocument creates a new Document.
func (*Document) AddPackage ¶ added in v0.14.0
AddPackage adds a package to the document.
func (*Document) AddPackageAndSetDescribed ¶ added in v0.14.0
AddPackageAndSetDescribed adds a package to the document and sets it as the document's described package.
func (*Document) AddRelationship ¶ added in v0.14.0
AddRelationship adds a relationship between two elements in the SBOM.
type Element ¶ added in v0.14.0
type Element interface {
// ID returns the unique identifier for this element.
ID() string
}
Element represents any referenceable entity in an SBOM.
type Package ¶ added in v0.14.0
type Package struct {
// IDComponents lets the consumer specify additional bits of data that should be
// included in the generation of the eventual SBOM package ID. By default, this
// slice has a length of zero, in which case only the package's name and version
// will be used. But sometimes it's necessary to include more bits of data to
// ensure package IDs remain unique. If this slice's length is non-zero, only
// these values will be used when producing the ID (via calling the ID method)
// (i.e. name and version would need to be added explicitly to this slice).
IDComponents []string
// The name of the origin package, a subpackage, or any other kind of (e.g.
// non-APK) package for inclusion in the SBOM.
Name string
// The version of the package. For APK packages, this should be the "full
// version" (including the epoch).
Version string
// This is the copyright text in the SPDX package. It's usually left blank.
Copyright string
// SPDX license expression. Leaving this empty will result in NOASSERTION being
// used as its value.
LicenseDeclared string
// Name of the distro/organization that produced the package. E.g. "wolfi".
//
// TODO: consider renaming this to avoid confusion from our other uses of
// "namespace", perhaps to "supplier" or "originator" (or have both), and signal
// that it's safe to leave this blank.
Namespace string
// The architecture of the package. E.g. "aarch64". This field isn't always
// relevant, especially when describing material upstream of the built APK
// package (e.g. source code or language ecosystem dependencies).
Arch string
// Checksums of the package. The keys are the checksum algorithms (e.g. "SHA-256"),
// and the values are the checksums.
//
// TODO: We're not currently using this field, consider removing it.
Checksums map[string]string
// The Package URL for this package, if any. If set, it will be added as the
// only ExternalRef of type "purl" to the SPDX package. (A package
// should have only one PURL external ref.)
PURL *purl.PackageURL
}
Package is a representation of an SBOM package specified by the build process. It is later converted to an SPDX package, but it doesn't expose fields that are invariant in the SPDX output.
Source Files