-
**What would you like to be added**:
Support for package URL to avoid adding yet another layer of package identifiers.
https://github.com/package-url/
**Why is this needed**:
Enable integration …
-
## Background
There is a general push for SBOMs in the software community, especially after [the executive order](https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-…
-
# Bug report
### Bug description:
The SPDX SBOM shown does not meet NTIA minimum requirements, there is no creation info.
NTIA Minimum Info Requirements:
https://www.ntia.gov/sites/default/f…
-
## summary
We've been thinking about how `gh at verify` works. We've realized that `gh at verify` is in effect used to evaluate policy – and that therefore we have to improve its user experience.
As…
-
It might be of interest for you that BSI TR-03183-2 "SBOM" v2.0.0 was published along with community drafts of part 1 ("General Requirements") and part 3 ("Vulnerability Reports and Notifications"): h…
-
This issue tracks the PS SSDF items and will also contain more detail for them:
Work that addresses these items can reference this epic issue.
- PS.1.1: Store all forms of code, including source…
-
The SBOM tool uses Serilog's `ILogger` interface directly. Unfortunately, Component Detection expects the [`ILogger` interface from `Microsoft.Extensions.Logging`][1] and uses the [`Serilog.Extensions…
-
| Attribute | Implmented? |
|---|---|
| Security Insights Verified | |
| Open Source Project (Y/N) | |
| Open Source Foundation (CNCF, Apache, CDF) | |
| License File | |
| Readme File | |
| …
-
In a large software project, including homebrew projects, it is currently difficult to make a list of all licenses which a given program ought to comply with. This is less of a problem for dynamic lin…
-
Even though we are setting the verbosity to values like Warning, Fatal or Error, we still see the `information` logs:
```powershell
##[information]Finished execution of the Generate workflow SBOMT…