FOSSer Tool: foss_toolconverter

Part of the FOSSer CLI Tool Series to generate full documentation of the SBOM

This part is responsible to generate a common dependency list out of a SBOM
generated by Tooling.

Features

Convert Syft json output
set TopLevel Dependencies for npm packages
sorts and maps packages by language for easier processing

Future Updates

adding a variety of SBOM Tools as compatibility

Usage/Examples

After building the Go Application it can be used like the following

fosser_toolconverter [Path/To/SBOM] [Path/For/Output] (optional) --npm [Path/To/Package.json]

Because most SBOM Tools can only read the package-lock.json, which contains often more than 800 packages down to the deepest child dependency, one can add the npm flag with the path to the package.json. The tool will then read the dependencies from there and mark them in the output file

The Tool outputs a dependency.json file with the following structure:

type SBOM struct {
	ProjectName  string
	Languages    []string
	Dependencies map[string][]Dependency
}

type Dependency struct {
	ID         string 
	ImportName string 
	Version    string
	Licenses   []string
	Language   string 
	TopLevel   bool
}

ID Hash value of the package
ImportName The Name that is given by the sbom tool
Version The exact Version of the package that is used
Licenses An Array of all licenses the package uses
Language The Language the package is from
TopLevel Important for npm and Docker

Folder Structure

foss_toolconverter
 ┣ cmd
 ┃ ┗ rootCmd.go
 ┣ internal
 ┃ ┣ models
 ┃ ┃ ┗ dependency.go
 ┃ ┣ manager.go
 ┃ ┣ packageJson.go
 ┃ ┗ syft_convert.go
 ┣ .gitignore
 ┣ go.mod
 ┣ go.sum
 ┗ main.go

About

First part of a small tool series. The Task of the tool series is to scan a project for its dependencies convert them to a usable format, fetches metadata for these packages and genrate a ots/foss document. This tool converts any sbom output to a from me defined output

sbom-tool syft

Languages

Language:Go 100.0%