-
**Is your feature request related to a problem? Please describe.**
Currently, all the dependencies nodes are set to `unknown` for both SPDX and CDX. This makes it impossible to determine if the dep…
-
PURL - `'pkg:maven/org.apache.commons:io@1.3.4'` passes as valid
> p.PackageURL.fromString('pkg:maven/org.apache.commons:io@1.3.4')
PackageURL {
type: 'maven',
name: 'org.apache.commons:io'…
-
1. create vex for log4j cve
2. add to sbom directory
-
**Describe the Feature**
I'm using tern to generate an SPDX-json formatted SBOM but it only seems to support SDPX 2.2
**Use Cases**
I would like to generate a SPDX 2.3 document to maintain parity…
-
### Current Behavior:
When starting a fresh instance of Dependency-Track, there are no projects in the portfolio.
### Proposed Behavior:
Add Dependency-Track as default project to every new portf…
-
## Summary
I wanted to try out this tool and just ran it. It didn't produce any usable output and just threw a cryptic error.
```
INFO[2022-06-09T14:24:20Z] Starting to generate SPDX ... …
-
This is a ticket to track a need for artifactory support as a source of sbom data.
-
It would be awesome to be able to trace which files and dependencies are either:
- used during the build
- effectively included in the built, installable files
This would be an excellent input to…
-
**Is your feature request related to a problem? Please describe.**
This is a feature, not related to a problem.
**Describe the solution you'd like**
GoReleaser has the support of signing binari…
-
When using `cdxgen` for a multi-module project, the root component in the generated SBOM is one of the child modules rather than the parent module. Upon further inspection, the SBOM generated by the M…