Skip to content

Commit

Permalink
Update README.md to include strict SBOM validation flag and supported…
Browse files Browse the repository at this point in the history
… CycloneDX versions information (#8)

fixes #3
  • Loading branch information
djschleen authored Oct 9, 2024
1 parent b0e07a1 commit b59fa40
Showing 1 changed file with 16 additions and 3 deletions.
19 changes: 16 additions & 3 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,13 @@
## Table of Contents

- [Overview](#overview)
- [The importance of undetstanding supply chain attacks](#the-importance-of-undetstanding-supply-chain-attacks)
- [The importance of understanding supply chain attacks](#the-importance-of-understanding-supply-chain-attacks)
- [Installation](#installation)
- [Example Usage](#example-usage)
- [Application Arguments](#application-arguments)
- [Example Usage](#example-usage)
- [Troubleshooting](#troubleshooting)
- [SBOM Validation](#sbom-validation)
- [Supported CycloneDX versions](#supported-cyclonedx-versions)
- [Credits](#credits)

## Overview
Expand Down Expand Up @@ -94,12 +96,23 @@ cat sbom_file.json | trustier -

## Troubleshooting

During testing, we found there were some required fields needed in the SBOM in order to be considered valid. Ensure at minimum you have the following fields in your components:
### SBOM Validation

During testing, we found there were some required fields needed in the SBOM in order to be considered valid. We
utilized the validation logic provided in the CycloneDX dependencies we use in `trustier`. In version 0.1.1, we
disabled validation by default, but if you wish to utilize strict validation then utilize the `--strict` flag.

Ensure at minimum you have the following fields in your components if you are using strict validation:

- `name`
- `purl`
- `type`

### Supported CycloneDX versions

`trustier` relies on [CycloneDX](https://github.com/CycloneDX/cyclonedx-rust-cargo/blob/main/cyclonedx-bom/README.md) to
load and work with SBOMs. This provides a limitation of only supporting versions 1.3, 1.4, and 1.5 of the CycloneDX specification at this time.

**NOTE:** `trustier` does not support SPDX formatted SBOMS at this time.

## Credits
Expand Down

0 comments on commit b59fa40

Please sign in to comment.