CRA Tool

SBOM Extraction

Support additional package managers for dependency graph extraction.

StatusOpen (Multiple)
TypeClosed-Source Collaborative
Eligible CoursesSEMI, PRAK/PROJ
Scope5 ECTS - 10 ECTS
Use of Artificial IntelligenceAllowed
CLA Required?Yes

Summary

CRA Tool uses its own component for dependency graph extraction called excalibur. Similar to tools like Trivy, Syft or cdxgen, it receives a codebase as input and resolves dependencies, relationships, and scopes. The resulting report is then passed to CRA Tool for further processing.

This contribution will implement a new analyzer plugin for excalibur, adding comprehensive support for a new package manager or improving the extraction logic for an already existing one.

Ecosystems that have no support yet:

  • PHP
  • Ruby
  • NuGet
  • SPDX

Expected Tasks

  1. Learn about the specifics of your ecosystem (registries, aliases, workspace support, ...)
  2. Learn about the features, limitations, and algorithms of related tools for your ecosystem
  3. Implement the extractor logic and define test fixtures
  4. Select real world repositories and add them to the integration test
  5. Write a brief project report (1-2 pages max)

Technologies

You should be familiar with the following programming languages:

  • TypeScript

Ideally, you are already familiar with the ecosystem/package manager you want to add support for.

Rule Violations

Allow users to easily track and prioritize important issues.

Source Code Resolver

Resolve source code locations for packages identified by their Package URL (PURL).

On this page

SummaryExpected TasksTechnologies