Skip to content

feat: add --summary CLI flag to output high-level SBOM metrics#26

Open
corepacket wants to merge 1 commit intoSBOMit:masterfrom
corepacket:feat/summary-flag
Open

feat: add --summary CLI flag to output high-level SBOM metrics#26
corepacket wants to merge 1 commit intoSBOMit:masterfrom
corepacket:feat/summary-flag

Conversation

@corepacket
Copy link
Copy Markdown

@corepacket corepacket commented Apr 7, 2026
edited
Loading

Description

Fixes #27
This PR introduces a new --summary CLI flag to the sbomit generate command to act as an immediate, lightweight observability dashboard. Instead of having to inspect massive raw JSON SBOM outputs, users can now pass this flag to see a high-level aggregation of their attestation-enriched dependencies directly in their terminal.

What's Changed

  • CLI Flag: Hooked up a --summary boolean flag in cmd/generate.go.
  • Summary Package: Created the pkg/generator/summary.go logic to iterate through the generated sbom.Document nodes.
  • PURL Extraction: Added safe parsing mechanisms to grab the ecosystem string prefix directly from the node's PURL (e.g., extracting pypi from pkg:pypi/...).
  • Deterministic Output: The summary output is explicitly alphabetized on the ecosystem keys to guarantee clean, deterministic outputs.
  • Unit Testing: Added rigorous testing coverage to pkg/generator/summary_test.go ensuring precise ecosystem identification and total package counts.

Example Output

Running: ./sbomit generate sample-attestation.json --summary

SBOM Summary
------------
Total Packages: 90

Ecosystem Breakdown:
  cargo: 38
  pypi: 51
  unknown: 1

@absol27
Copy link
Copy Markdown
Member

absol27 commented Apr 15, 2026
edited
Loading

LGTM, but some minor nits:

  1. I think the current report can be default behavior
  2. the --summary flag for a more detailed record, showing list of packages
  3. then a flag to suppress std out (but maybe that's for later)
  4. We ideally shouldn't have "unknown" packages, if they are files then report them as files. If they are truly unknown, as in we dont handle them rn, let us know so we can build the parsers for them

@corepacket
Copy link
Copy Markdown
Author

corepacket commented Apr 15, 2026

@absol27 Thanks for the feedback — just confirming the updated plan:

  1. Make the current summary output the default behavior of generate
  2. Repurpose --summary to show a more detailed breakdown (package list per ecosystem)
  3. Replace "unknown" with more meaningful classification (e.g., "file" or surface unclassified cases)

I’ll proceed with this unless you’d like anything adjusted.

@absol27
Copy link
Copy Markdown
Member

absol27 commented Apr 15, 2026

Looks great, that's the summary of the plan!

@corepacket
feat: refactor summary output mapping and fallback logic
0f9e729 
This commit updates the summary flag logic to:

- Make the brief summary the default output.

- Repurpose the --summary flag to output the detailed per-ecosystem package list.

- Improve unclassified vs file ecosystem detection.

Signed-off-by: corepacket <bnwankhede_b24@it.vjti.ac.in>
@corepacket
Copy link
Copy Markdown
Author

corepacket commented Apr 17, 2026

Hello @absol27, could you please take a look? I’ve updated the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feature Request: Add a --summary CLI flag to output high-level SBOM metrics

2 participants

@corepacket @absol27