Consider allowing users to bring their own CycloneDX SBOM files
erichs opened this issue · comments
There are a couple of cases where this can be helpful:
- for whatever reason, a CycloneDX-compatible BOM file is already being generated with one of these tools
- the underlying cdxgen cannot be made to work with the repo at hand
It would be really great to pass a path to a BOM.xml or BOM.json file via args or .sastscanrc
, and have it skip the bomgen
step for that run.
When cdxgen throws, only an empty-scan-report.sarif
file is generated.
@erichs This is an interesting idea. dep-scan already supports scanning based on an existing bom file - https://github.com/AppThreat/dep-scan/blob/master/depscan/cli.py#L95
So a .sastscanrc file like below would work assuming a bom.json exists in src directory.
{
"depscan": [
"/usr/local/bin/depscan",
"--no-banner",
"--suggest",
"--src",
"%(src)s",
"--bom",
"%(src)s/bom.json",
"--report_file",
"%(report_fname_prefix)s.json"
]
}
Wow, I missed that. Perfect. Thanks also for the .sastscanrc
example!