-
There seems to be an issue in the `tools-golang` library where the `spdxVersion` is incorrectly reported. Even when an SBOM with `spdxVersion` set to `2.2` is provided, the library returns `spdxVersio…
-
I think it would be great to have a SBOM for the project now that we are working on [dependency build audit](https://github.com/nodejs/security-wg/issues/1037).
Probably investigate on how we can ach…
-
## Title: [Workload] SECURITY test: sbom_available
**Is your workload test idea related to a problem? Please describe.**
- A project should have an SBOM file available in order to check its softwa…
-
### Component
other
### Device
NovaCustom V54 14th Gen
### Dasharo version
v0.9.0
### Dasharo Tools Suite version
_No response_
### Test case ID
_No response_
### Brief summary
Newsletter h…
-
### Current Behavior
Although, The Purl format on [Dependency Track](https://docs.…
-
NatWest Group is running an **Open Source Supply Chain Security** “FINOS Members + Limited Guests, Chatham House Rule” roundtable, to celebrate OSFF London, on behalf of the FINOS DevOps Automation SI…
-
**What would you like to be added**:
As part of anchore/grype#1609, Syft should pick up on sboms in containers located at `/opt/bitnami` because this is how Bitnami records what's in an image.
T…
-
* Expanding out from #2685
>SBOMs can specify a product in a number of different ways. For example, a SBOM can include a product as a Name, a CPE or a PURL (and possibly all three!). Whilst the qua…
-
**Is your feature request related to a problem? Please describe.**
We should [Detect if SBOMs generated](https://github.com/ossf/scorecard/issues/1476) (by @david-a-wheeler), and then we can scan the…
-
### Description
When parsing SPDX file, `ExternalRef SECURITY ` is not taken into account.
### Why?
Sometimes package name does not match cpe name. Moreover, some CPE can have the same produc…