sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues 51 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity

fix: SBOM multi-ecosystem support with correct package managers and licenses #8

Merged
sharang merged 2 commits from fix/sbom-package-manager-from-purl into main 2026-03-10 12:37:30 +00:00
Conversation 0 Commits 2 Files Changed 7 +340 -28
sharang commented 2026-03-10 11:50:47 +00:00
Owner
Copy Link

Summary

  • Package manager detection: Extract ecosystem from PURL (pkg:npm/... → npm, pkg:cargo/... → cargo) instead of using CycloneDX type field which was returning "library"/"file" for everything
  • Lock file generation: Auto-generate Cargo.lock, package-lock.json, and requirements.txt before Syft scan for repos that gitignore their lock files
  • License resolution: Enable Syft remote license lookups for Go/JS/Python/Java, enrich Cargo via cargo metadata, and parse SPDX license expressions
  • Dynamic filter dropdowns: Manager and license dropdowns now populate from actual DB data via new /api/v1/sbom/filters endpoint
  • Stale entry cleanup: Delete old SBOM entries on rescan instead of only upserting, so removed dependencies don't linger
  • Docker image: Added cargo, npm, go, php, ruby, composer, bundler for lockfile generation in production

Test plan

  • Rescan a Rust repo — should see cargo packages with licenses
  • Rescan an npm repo — manager should show "npm" not "library"
  • Add Python/Go/Java/PHP/Ruby repos and scan — verify correct managers and licenses
  • Verify manager and license dropdowns populate dynamically
  • Filter by manager and license — should return correct results

🤖 Generated with Claude Code

## Summary - **Package manager detection**: Extract ecosystem from PURL (`pkg:npm/...` → npm, `pkg:cargo/...` → cargo) instead of using CycloneDX `type` field which was returning "library"/"file" for everything - **Lock file generation**: Auto-generate `Cargo.lock`, `package-lock.json`, and `requirements.txt` before Syft scan for repos that gitignore their lock files - **License resolution**: Enable Syft remote license lookups for Go/JS/Python/Java, enrich Cargo via `cargo metadata`, and parse SPDX license expressions - **Dynamic filter dropdowns**: Manager and license dropdowns now populate from actual DB data via new `/api/v1/sbom/filters` endpoint - **Stale entry cleanup**: Delete old SBOM entries on rescan instead of only upserting, so removed dependencies don't linger - **Docker image**: Added cargo, npm, go, php, ruby, composer, bundler for lockfile generation in production ## Test plan - [x] Rescan a Rust repo — should see cargo packages with licenses - [x] Rescan an npm repo — manager should show "npm" not "library" - [x] Add Python/Go/Java/PHP/Ruby repos and scan — verify correct managers and licenses - [x] Verify manager and license dropdowns populate dynamically - [x] Filter by manager and license — should return correct results 🤖 Generated with [Claude Code](https://claude.com/claude-code)
sharang added 1 commit 2026-03-10 11:50:47 +00:00
fix: SBOM multi-ecosystem support with correct package managers and licenses
Some checks failed
CI / Format (push) Failing after 39s
Details
CI / Clippy (push) Successful in 4m24s
Details
CI / Security Audit (push) Has been skipped
Details
CI / Tests (push) Has been skipped
Details
CI / Format (pull_request) Failing after 3s
Details
CI / Clippy (pull_request) Successful in 4m24s
Details
CI / Security Audit (pull_request) Has been skipped
Details
CI / Tests (pull_request) Has been skipped
Details
CI / Detect Changes (push) Has been skipped
Details
CI / Detect Changes (pull_request) Has been skipped
Details
CI / Deploy Agent (push) Has been skipped
Details
CI / Deploy Dashboard (push) Has been skipped
Details
CI / Deploy Docs (push) Has been skipped
Details
CI / Deploy MCP (push) Has been skipped
Details
CI / Deploy Agent (pull_request) Has been skipped
Details
CI / Deploy Dashboard (pull_request) Has been skipped
Details
CI / Deploy Docs (pull_request) Has been skipped
Details
CI / Deploy MCP (pull_request) Has been skipped
Details
9da1d057d5 
- Extract package manager from PURL instead of CycloneDX component type
  (was showing "library"/"file" instead of "npm"/"cargo"/"pip" etc.)
- Generate missing lock files (Cargo.lock, package-lock.json) before Syft
  scan so repos that gitignore them still get full dependency trees
- Enable Syft remote license lookups for Go, JS, Python, and Java
- Enrich Cargo entries with license data from cargo metadata
- Parse CycloneDX license expressions (e.g. "MIT OR Apache-2.0")
- Delete stale SBOM entries on rescan instead of only upserting
- Add /api/v1/sbom/filters endpoint for dynamic filter options
- Make manager and license dropdowns dynamic from actual DB data
- Add cargo, npm, go, php, ruby, composer, bundler to Docker image

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
sharang added 1 commit 2026-03-10 12:22:04 +00:00
style: apply cargo fmt
All checks were successful
CI / Clippy (pull_request) Successful in 4m29s
Details
CI / Security Audit (pull_request) Has been skipped
Details
CI / Tests (pull_request) Has been skipped
Details
CI / Deploy MCP (push) Has been skipped
Details
CI / Deploy Agent (pull_request) Has been skipped
Details
CI / Deploy Dashboard (pull_request) Has been skipped
Details
CI / Format (push) Successful in 5s
Details
CI / Clippy (push) Successful in 4m37s
Details
CI / Security Audit (push) Has been skipped
Details
CI / Tests (push) Has been skipped
Details
CI / Format (pull_request) Successful in 3s
Details
CI / Detect Changes (push) Has been skipped
Details
CI / Detect Changes (pull_request) Has been skipped
Details
CI / Deploy Agent (push) Has been skipped
Details
CI / Deploy Dashboard (push) Has been skipped
Details
CI / Deploy Docs (push) Has been skipped
Details
CI / Deploy Docs (pull_request) Has been skipped
Details
CI / Deploy MCP (pull_request) Has been skipped
Details
1d861ef8fc 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
sharang merged commit daff5812a6 into main 2026-03-10 12:37:30 +00:00
sharang deleted branch fix/sbom-package-manager-from-purl 2026-03-10 12:37:30 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
bug
critical
enhancement
high
infrastructure
performance
security
v0.3.0
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
sharang
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: sharang/compliance-scanner-agent#8
Delete Branch "fix/sbom-package-manager-from-purl"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?