Documentation
¶
Overview ¶
Package sbom provides shared utilities for Software Bill of Materials generation. This package contains common logic used by both CycloneDX and SPDX formatters, as well as utilities that may be reused by audit, compliance, and reporting features.
Index ¶
- Constants
- func BuildSPDXNamespace(baseURL, projectName, uuid string) string
- func FormatSPDXRef(elementID string) string
- func GenerateBOMRef(v VendorIdentity) string
- func GenerateSPDXID(v VendorIdentity) string
- func MetadataComment(ref, commit, vendoredAt, vendoredBy string) string
- func SanitizeSPDXID(s string) string
- func ValidateProjectName(name string) string
- type SupplierInfo
- type VendorIdentity
Constants ¶
const DefaultProjectName = "unknown-project"
DefaultProjectName returns a fallback project name when none is provided.
const DefaultSPDXNamespace = "https://spdx.org/spdxdocs"
DefaultSPDXNamespace is the default domain for SPDX document namespaces. This can be overridden via configuration.
const MaxSPDXIDLength = 128
MaxSPDXIDLength is the maximum length for SPDX identifier components. While SPDX spec doesn't define a max, some tools have practical limits. We use 128 characters as a reasonable limit that works with most tools.
const SPDXDocumentID = "DOCUMENT"
SPDXDocumentID is the standard SPDX document identifier.
Variables ¶
This section is empty.
Functions ¶
func BuildSPDXNamespace ¶
BuildSPDXNamespace constructs a unique SPDX document namespace. Format: {baseURL}/{projectName}/{uuid}
func FormatSPDXRef ¶
FormatSPDXRef formats an SPDX element ID with the required "SPDXRef-" prefix.
func GenerateBOMRef ¶
func GenerateBOMRef(v VendorIdentity) string
GenerateBOMRef creates a unique CycloneDX BOM reference for a vendor. Format: {name}@{short-hash} For vendors with multiple refs pointing to the same commit, the hash ensures uniqueness. For different commits, the different hashes ensure uniqueness.
func GenerateSPDXID ¶
func GenerateSPDXID(v VendorIdentity) string
GenerateSPDXID creates a unique SPDX identifier for a package. Format: Package-{sanitized-name}-{short-hash} The hash suffix ensures uniqueness when a vendor tracks multiple refs. Returns the ID without the "SPDXRef-" prefix (that's added during JSON serialization).
func MetadataComment ¶
MetadataComment builds a structured comment from git-vendor metadata. Only includes fields that have values, avoiding empty placeholders.
func SanitizeSPDXID ¶
SanitizeSPDXID converts a string to a valid SPDX identifier component. SPDX IDs must match the pattern [a-zA-Z0-9.-]+ Invalid characters are replaced with hyphens. Empty input returns "unknown" to prevent invalid IDs. Very long inputs are truncated to MaxSPDXIDLength to ensure compatibility with SBOM tools that may have practical length limits.
func ValidateProjectName ¶
ValidateProjectName ensures a project name is valid for use in SBOMs. Returns the original name if valid, or DefaultProjectName if empty.
Types ¶
type SupplierInfo ¶
SupplierInfo holds supplier/manufacturer information extracted from a repository URL.
func ExtractSupplier ¶
func ExtractSupplier(repoURL string) *SupplierInfo
ExtractSupplier extracts supplier information from a repository URL. Uses the shared hostdetect package for consistent URL parsing across the codebase. Returns nil if the URL is empty, invalid, or from an unknown provider.
Supported providers: GitHub, GitLab, Bitbucket (including self-hosted instances).
type VendorIdentity ¶
type VendorIdentity struct {
// Name is the vendor name from config (required for identification).
Name string
// Ref is the git ref (branch, tag, commit) being tracked.
// This field is preserved for informational/debugging purposes but is NOT
// used in identifier generation. The CommitHash provides uniqueness instead,
// because the same ref can point to different commits over time.
Ref string
// CommitHash is the full commit SHA for the ref (required for uniqueness).
CommitHash string
}
VendorIdentity represents the unique identity of a vendored dependency. A vendor may track multiple refs, so the identity includes both name and commit hash.
func (VendorIdentity) ShortHash ¶
func (v VendorIdentity) ShortHash() string
ShortHash returns the first 7 characters of the commit hash. This is used for display and as part of identifiers.
Source Files