-
Upstream spdx tools already define structs which reflect the data model for each version of the specification. Rather than duplicate work, use the upstream models.
-
SLSA materials are:
```
materials array of objects, optional
The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on.
This is…
asraa updated
2 years ago
-
## Is your feature request related to a problem? Please describe.
on CI, i always need to have a php composer available in order to create an SBOM of a `composer.lock`
## Describe the solution y…
-
The documention states:
> Note: To perform a hierarchical merge all BOMs need the subject of the BOM described in the metadata component element.
There are no details here as to what this should l…
-
## Summary
Unclear how to install cleanly
## Background
Provide context to the issue - provide steps to reproduce the behavior, such as:
Tried two ways: (on MacOS 12.5 Beta currently)
*…
-
**Describe the bug**
SBOM analysis of this library shows open vulnerabilities due to inclusion of jfreechart component. This component is introduced by jasperreports, the 3rd party library used to ge…
-
Currently, Syft is used to generate SBOMs. The fidelity of the resulting SBOM is very low. It does not contain provenance information of included dependencies. This information is typically included i…
-
**Is your feature request related to a problem? Please describe.**
This is a feature, not related to a problem.
**Describe the solution you'd like**
Attestations are more like a document/record…
-
### Describe what should be investigated or refactored
We should add continuous scanning of image dependencies in UDS Software Factory package repositories to check for both CVEs and license changes.…
-
This issue covers setting up a secure supply chain for all the software we provide, both for Kubernetes and non-Kubernetes use cases.
In particular, #83 has some setup for how we will push a conta…