-
The main item in the SBOM should have a value of "primary" while others should say "included in" as appropriate. See https://www.ntia.gov/sites/default/files/publications/ntia_sbom_framing_2nd_edition…
-
**What would you like to be added**:
Add the ability to shell-out to known tools such as `go` and `mvn` in order to capture more accurate build-time dependency information.
**Why is this needed**:…
-
SBOMs are one artifact that a build system may output, in addition to other binaries, tarballs, etc
We should document this in the doc https://github.com/slsa-framework/slsa-github-generator/tree/mai…
-
Referencing artifacts in external documents seems to be structurally incompatible with the approach taken in SPDX.
Propose we review the 2 approaches (SBOM and SPDX) with concrete examples and dete…
-
I used SCIO to load 3 CDX 1.4 XML SBOMs and the loads did not include any dependency. There was no related processing error from the pipeline. I have not reproduced this for JSON format but I expect t…
-
I think it would be great to have a SBOM for the project now that we are working on [dependency build audit](https://github.com/nodejs/security-wg/issues/1037).
Probably investigate on how we can ach…
-
Cyclonedx 1.6 has been out for a couple of months, i believe the cyclonedx-go package now supports it, lets integrate and test it out, and make the necessary changes.
-
SLSA offers:
- A common vocabulary to talk about software supply chain security
- A way to secure your incoming supply chain by evaluating the trustworthiness of the artifacts you consume
- An ac…
-
## Issue Description
As the Platform Product Team,
We need a better inventory of our tools, versions and features that are used,
So that we can better manage and report on what is used and how
Since …
-
Suggesting a plugin to display a CycloneDX Software Bill of Materials (SBOM) Composition Report. [CycloneDX](https://cyclonedx.org/use-cases/) is a commonly used standard across a number of [too…