question: automating linking of projects through SBOM

[brandon1024]

Hello 👋

I'm using capycli in a few projects to automate parts of the software clearing process. One of the projects I maintain has a dependency on an inner-source component, so I've been instructed to:

• remove the component from the SBOM, and
• add a project link to the inner source project

I've been able to automate parts of this. Removing the component from the SBOM is pretty straightforward with capycli bom filter, and linking the project is simply a matter of adding the project ID in the linkedProjects of my project:

{
  "Components": [
    {
      "comment": "This project is inner source and is linked directly.",
      "component": {
        "Name": "code.siemens.com/go/web.git",
        "Version": "v0.0.3"
      },
      "Mode": "remove"
    }
  ]
}

capycli bom filter -v
        -i ./build/sark-linux-arm64.standard.cdx.json
        -o ./build/sark-linux-arm64.capycli-filtered.cdx.json
        -filterfile ./clearing/capycli-filters.json

{
  "name": "$CI_PROJECT_TITLE",
  "description": "$CI_PROJECT_TITLE - $CI_PROJECT_DESCRIPTION ($VERSION)",
  "businessUnit": "SI",
  "tag": "SI CTO",
  "ownerGroup": "SI",
  "projectOwner": "brandon.richardson@siemens.com",
  "projectResponsible": "brandon.richardson@siemens.com",
  "securityResponsibles": ["brandon.richardson@siemens.com"],
  "projectType": "PRODUCT",
  "visibility": "EVERYONE",
  "enableSvm": true,
  "enableVulnerabilitiesDisplay": true,
  "externalIds": {
    "com.siemens.code.project.id": "$CI_PROJECT_ID"
  },
  "linkedProjects": {
    "a355d81c59614a1f914d07f415d5513a": { "projectRelationship": "CONTAINED" }
  },
  "domain": "Application Software"
}

There are two aspects to this that I find a bit clunky and add to the overall maintenance effort. I'm hoping to get some guidance on how to improve this :-)

The first is that the SBOM filter file capycli-filters.json needs to be updated whenever I upgrade the (project) dependency version. It's easy to forget to do this, in which case I'll need to do some manual cleanup in SW360. For example, if I upgrade go/web to v0.0.4, I need to remember to also update this SBOM filter ahead of clearing. A minor annoyance, but not the end of the world.

The second -- and most annoying -- is the project linking. Whenever I update the dependency, I also need to update the project ID in my project file. It would be really nice if capycli had a mechanism to lookup the project by name/version or, better yet, by tagging the component in my SBOM in such a way that instructs capycli to link the component as a project.

I sadly couldn't find a solution to this, it looks as though there's no support for what I'm looking for. Any ideas?

Thanks!

[gernot-h]

Thanks, @brandon1024, for the question and good to see you here! 👋

Regarding the first question, this sounds like pretty basic JSON operations which could be easily handled using jq or your favorite scripting language, so I'm unsure whether this justifies specific functionality to be added to CaPyCli?

Regarding the 2nd point, I don't 100% understand your needs. It should be possible to identify a project using "project find", then add the project ID to the SBOM. Or are you looking for an option to add a project name to the SBOM instead of an ID? So you use the same name for multiple projects or how could that help? Or what do you mean with "link the component as a project"?