-
SBoM generation tools (like cdxgen) might encounter artifacts already built along with source code and package manager manifests. In such cases, indicating the lifecycle phases associated with the giv…
-
### Describe what should be investigated or refactored
We should add continuous scanning of image dependencies in UDS Software Factory package repositories to check for both CVEs and license changes.…
-
**Is your feature request related to a problem? Please describe.**
This is a feature, not related to a problem.
**Describe the solution you'd like**
Attestations are more like a document/record…
-
Currently, Syft is used to generate SBOMs. The fidelity of the resulting SBOM is very low. It does not contain provenance information of included dependencies. This information is typically included i…
-
@proximapc
**Tool Version** v0.0.6
**Test Repo** https://github.com/dotnet-architecture/eShopOnWeb
**OS** Windows 10
Observed that NOASSERTION is displayed for PackageCopyrightText even when Co…
-
Looking at #9, I'm trying to get a better understanding of how SBOMit delivers the following:
> This specification proposes a means to generate metadata for an SBOM while the
software is being cre…
-
For all imported libs. (or files or tools) that require attribution via license, the project should follow a procedure to copy/post the attribution (entire license in most cases) into a project subdir…
-
Original Reporter: nvelagapudi
Environment: Not Specified
Version: Not Specified
Migrated From: http://jira.linuxfoundation.org/browse/SSB-67
spdx-sbom-generator tool version v0.0.3Test Repos that I…
-
Original Reporter: nvelagapudi
Environment: Not Specified
Version: Not Specified
Migrated From: http://jira.linuxfoundation.org/browse/SSB-63
spdx-sbom-generator tool version v0.0.3Test Repos that I…
-
SLSA materials are:
```
materials array of objects, optional
The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on.
This is…