-
When processing aggregate BOMs it's possible to encounter projects which would cause the resolution of dependencies for a component to differ, for example
- during the resolution process, with differ…
-
# Add `anchore/syft`
We want to add `anchore/syft` because...
- it works consistently across Windows, Mac, and Linux.
- `syft` is a CLI tool from Anchore for generating SBOMs from a container o…
-
* **What are you trying to do?***
Create automated pull requests from the auditjs scanner.
* **What feature or behavior is this required for?**
[Automated Pull Requests](https://help.sonaty…
-
Appreciate this is more of a problem with the upstream tool, but I wanted to flag the data quality aspect here.
Here's an example of a Debian SBOM created using bom-v0.4.1:
```
sbomex pull --id…
-
Today, developers must take care to include sources in the `filegroup(name = "standard_package")` targets which are sprinkled around the repository.
In the best case, omitting one will be caught by a…
-
hey @nishakm ! I just ran the example (without vagrant) on my cluster and (yay!) tern appears to not require sudo anymore, at least for this example. So to summarize the process, it was:
1. generat…
vsoch updated
2 years ago
-
### Tool or Product name
PkgToSoftwareBOM.jl
### Open Source or Proprietary
open source
### Company or Organization name
NA
### Organization or Company Logo Usage
- [ ] Already a member of SPDX…
-
The Java documentation is incomplete. I strongly doubt anyone outside of contrast would be able to use this to successfully run the CLI tool on a Java build.
There are two commands listed.
`npm in…
-
### Describe the bug
In https://github.com/scikit-image/scikit-image/issues/7443 it was noticed that
```console
gh attestation verify dist/scikit_image-*.whl --repo ${{ github.repository }}
`…
-
### Problem overview
CycloneDX tools vary in their support for dependency graph information. For example, `cyclonedx-dotnet`@0.19.0 supports it, while `cyclonedx-node-module` does not due to https:…