Implement cool things from JBOM #9
Description
JBom can also do runtime SBOMs but isn't as fine-grained as Classport due to looking at all POMs from the used JARs. I.e. JBOM does JAR-level dependency marking at runtime but not class file-level. See its addAllLibraries, scan and parsePom functions here.
This being said, it is a cool project with a lot of ideas for new features and internal structure, e.g.:
- Automatically find PIDs of running processes and attach an agent to them which can use
getAllLoadedClasses. This would mean we implement anagentmainin addition to thepremain(feature) - Rethink the types and functions used. This is currently quite ugly (structure was not a priority due to the frequent structural changes), and we should really have types such as
sbom,dependencyetc. instead. (internal) - We should probably drop the real-time agent (as default, at least) and instead run everything on shutdown using a hook. This is cleaner, requires less dependencies, and won't slow down the main application (internal)
- Use picocli (feature + internal)
- Research the possibility of creating a DB inside the JAR with all the info, and just have the class file annotation be an index. This can both help with security (if it's a random index) and in minimising the size increase (internal)
- Produce actual CycloneDX SBOMs (feature)
...etc.