-
In the guide version 1.0, we require PackageChecksum in order to comply with the "NTIA SBOM Minimum elements" for "Component Hash".
However, SPDX 2 provides two possibilities for this, PackageCheck…
-
**What happened**:
Given a very minimal CycloneDX SBOM as input:
```
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"components": [
{
"type": "library",
"name":…
-
### What would you like to be added?
I'd like to contribute SBOM generation to the release process of this project in both cyclonedx and spdx formats.
I'm part of https://github.com/CISA-SBOM-Co…
-
## Summary
Describe the bug - a clear and concise overview of what the bug is.
optional flag `-f ` does not output a different file type.
## Background
Provide context to the issue - provi…
-
When running `Trivy ecosystems enrich [file]` the resultant SPDX document will, on occasion, result in a concluded license (in the SPDX format) that does not validate.
From looking at the code, it …
-
Biased I know as I am the developer and maintainer of sbom4python, but useful to add this tool which generates NTIA conformant SBOMs in both CycloneDX and SPDX formats (assuming the metadata exists wi…
-
When I try to scan locally built Docker images with the Docker Scout _GUI_, then I get a security report.
However, when I use the Docker Scout CLI, then it crashes with a strange error trace. I think…
-
I worked on https://github.com/wmichalska/CreditManager repository to validate the build SBOM and below are my findings.
1. There are in total 119 dependencies obtained from the Maven Dependency Li…
-
**What happened**:
When collecting multiple BOMs with the `sbom-cataloger`, the dependency trees of the BOMs might get mixed up.
Example:
My Rust app App1 has a direct dependency `proc-macro2 1.0…
-
### **Description**:
The help documentation for the `verify file` command in `cyclonedx-cli` appears to incorrectly specify the placement of options like `--key-file` and `--signature-file`.
#### **C…