Github functionality to fetch SBOM from Releases #274

EphraimEM · 2025-01-28T15:38:01Z

GitHub users may want to store/fetch their Sboms in non-source locations, like releases. The GitHub client whould be updated to support this.

Fetch

Optional Functionality:
Fetch from releases. Seems to be covered by http client, but may be worth investigating the api offerings.

ashearin · 2025-01-28T19:08:06Z

Per our discussion, some ideas for functionality:

Pull one specific bom/document from a github release:
- example command: bomctl fetch github.com/bomctl/bomctl@v0.4.2#bomctl_0.4.2_windows_arm64.zip.cdx.json
- Client would search through and find specific file in the assets for the v0.4.2 release and
  - Add it to the cache if found
  - Return not found message if not. (I don't think we should return an error code, just a message to the user)
Pull every available sbom in specified github release
- example command: bomctl fetch github.com/bomctl/bomctl@v0.4.2
  - Need to check to see this doesn't clash with the existing github fetch functionality, I don't think it does.
- Client would search through all assets for given release, pull any files that match the sbom naming conventions and
  - Add it to the cache
  - Add an alias to the document using the asset name (usually the filename) to keep items distinct for users.

lmphil assigned EphraimEM Jan 28, 2025

Provide feedback