Add POST /api/sbom/enrich that accepts a CycloneDX or SPDX document and returns it with missing component metadata filled in from the proxy's enrichment data.
Flow:
- Parse the body with
git-pkgs/sbom.Parse() into the unified *sbom.SBOM model
- For each package, look up the PURL in the proxy database (already populated via
git-pkgs/enrichment); optionally fall back to a live enrichment.Client.BulkLookup for misses
- Fill in
LicenseDeclared, Supplier, Checksums (from the artifacts table), and vulnerability references where they're empty
- Encode back in the same format that arrived using
sbom.Encode()
This matches what jf sbom-enrich does in the JFrog CLI but backed by ecosyste.ms / deps.dev / registry data instead of Xray's proprietary database. Useful for taking a bare SBOM from syft or a build tool and turning it into something with licenses and vuln refs without running a separate scanner.
Both git-pkgs/sbom (not yet a dependency) and git-pkgs/enrichment (already in go.mod) do the heavy lifting here.
UI: a file-upload form on the dashboard that posts to this endpoint and triggers a download of the enriched document.
Add
POST /api/sbom/enrichthat accepts a CycloneDX or SPDX document and returns it with missing component metadata filled in from the proxy's enrichment data.Flow:
git-pkgs/sbom.Parse()into the unified*sbom.SBOMmodelgit-pkgs/enrichment); optionally fall back to a liveenrichment.Client.BulkLookupfor missesLicenseDeclared,Supplier,Checksums(from the artifacts table), and vulnerability references where they're emptysbom.Encode()This matches what
jf sbom-enrichdoes in the JFrog CLI but backed by ecosyste.ms / deps.dev / registry data instead of Xray's proprietary database. Useful for taking a bare SBOM fromsyftor a build tool and turning it into something with licenses and vuln refs without running a separate scanner.Both
git-pkgs/sbom(not yet a dependency) andgit-pkgs/enrichment(already in go.mod) do the heavy lifting here.UI: a file-upload form on the dashboard that posts to this endpoint and triggers a download of the enriched document.