Skip to content

[Phase 1] Stage 1: SBOM generation (Syft + CycloneDX parsing) #3

Description

@varun-polpakkara

Summary

Takes a project source path, invokes Syft to produce a CycloneDX JSON SBOM, parses the output, and persists a SBOMSnapshot + one Component row per discovered package.

How it works

  1. Verifies the Project row exists (raises SBOMGenerationError otherwise).
  2. Calls run_tool([syft, source_path, "-o", "cyclonedx-json={output_path}"]).
  3. Reads the JSON file Syft wrote to disk, extracts the components[] array.
  4. Inserts SBOMSnapshot (with raw CycloneDX JSON blob) and one Component per entry — extracting name, version, purl, cpe, and ecosystem from the PURL prefix.
  5. Sets SBOMSnapshot.status = "SBOM_DONE".

Key details

  • PURL fallback: If Syft doesn't emit a PURL, a pkg:generic/name@version fallback is constructed so the column stays non-null.
  • Syft version handling: Handles both CycloneDX 1.4 (tools as a list) and 1.5 (tools as {"components": [...]}) formats.

Tests (18 passing)

Snapshot row creation, component rows, ecosystem extraction from PURLs, CPE storage, Syft version parsing (1.4 and 1.5), and all error paths (project not found, non-zero exit, no output file, invalid JSON, zero components).

Metadata

Metadata

Labels

Fields

No fields configured for Feature.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions