实现示例type Component = { name: string; version: string }
type Node = { name: string; version: string }
function semverLike(v: string): boolean { return /^(\d+\.\d+\.\d+)(?:[-A-Za-z0-9_.]+)?$/.test(v) }
function align(graph: Node[], sbom: Component[]): { ok: boolean; missing: string[]; mismatched: string[] } {
const sb = new Map<string, string>()
for (const c of sbom) if (c.name && semverLike(c.version)) sb.set(c.name, c.version)
const missing: string[] = []
const mismatched: string[] = []
for (const n of graph) {
const v = sb.get(n.name)
if (!v) missing.push(n.name)
else if (v !== n.version) mismatched.push(`${n.name}:${n.version}->${v}`)
}
return { ok: missing.length === 0 && mismatched.length === 0, missing, mismatched }
}
审计与CI门禁记录缺失与不一致清单;不通过直接阻断并提示修复路径。SBOM与依赖图变更需审批与归档。
发表评论 取消回复