-
Some of the NOASSERTION fields need no longer need to be included.
https://spdx.github.io/spdx-spec/v2.3/
-
Noticed that the hashes are calculated based on the real file instead of using existing information from the maven cache.
https://github.com/CycloneDX/cyclonedx-maven-plugin/blob/51bde9e135ded7248e…
-
Component.licenses has this text "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)"
It is not made clear what a list of licenses means.
There are at leas…
-
Hello 👋. I have quickly reviewed the spec draft here and noticed that only CycloneDX and SPDX are identified. Is SWID, more specifically the compact CBOR alterntive [in IETF RFC9393](https://datatrack…
-
## Backgrond
Early in notation development we chose `JWS` as a placeholder until we could unify on an existing signature standard. We were discussing PKCS7 but there weren't enough supporting librari…
-
**What happened**: When analyzing an image w/ various jar files, the name of the packages often does not match the expected name used in other utilities such as `grype`. Some examples:
* `jquery-de…
-
As mentioned at today's meeting (and prior meetings), SLSA is currently focused only on "integrity" supply chain security includes more than that, notably "vulnerability management" and "developer tru…
-
Unfortunately I have not been able to test Dangerzone because converting a PDF fails with the following error message:
Any idea what may cause this? Docker installed fine. I'm running Ma…
-
### Current Behavior
It's possible to auto-create a project based on an SBOM upload API call using `autoCreate=true`. This is useful, as it means various projects across an org don't have to all main…
-
### Description
I am using docker-desktop v4.29.0. I have the same experience on Windows/WSL and on Linux Ubuntu 22.04.
I have created a Wasm image according to instructions here:
- https://gi…