Diffing Between SBOMs #148
Comments
|
I could see this being pretty useful. Surfactant currently doesn't have any functionality for doing SBOM diffs. |
|
Maybe we shouldn't expect this functionality in surfactant. Surfactant is more for extracting the information, but I think in order to inner/outer join and compare we need a higher level tool like a relational database? |
|
I think there are some comparisons that could be easy to do without a relational database, and involve functions (e.g. what differences exist between SBOMs for a particular set of fields) that would be useful for writing better CI tests. I’d be okay with merging basic diffing features that can also improve testing if someone wants to add them. I’d agree that more involved comparisons are outside the current scope and would be better handled by other tools. |
|
#202 - testing plugins could also benefit from some "fuzzy" SBOM comparison functions |
Is your feature request related to a problem? Please describe.
There have been some use cases when we have more then one version of the same firmware and therefore multiple BOMs. It would be beneficial to have some sort of script for comparison purposes.
Describe the solution you'd like
I think there is potential is generating a simple Python script that just builds a list of all of the given paths in an SBOM and then compares entries to determine differing file locations as well as differing hashes. Potentially it could be valuable to compare by other fields such as strings or potentially additional hash types (TLSH, SSDEEP), although each such comparison would need its own scoring function.
Additional context
If functionality like this already exists please let me know.
The text was updated successfully, but these errors were encountered: