-
I'm curious if conditional SBOM files specified in the source tree will be necessary. My suspicion arises from projects having different dependencies depending on platform/version/something else.
B…
-
## Is your feature request related to a problem? Please describe.
Establishing accurate component identity is important in an SBOM, as it enables users to clearly understand how each component's iden…
-
Automatically create a sensible bom-ref like "supplier/name@version" if those values are provided.
-
When I use oras to attach an artifact to an image artifact, it's displayed in a parent/child relation in the UI of Google Cloud Artifact registry.
 for a resource before I use it in my production environme…
-
### Current Behavior
Hello,
Firstly, we upload the sbom to one dependency track server, after dependency tack done analysis, we download the sbom from and we found that inside of it the `purl` of ou…
-
How should we deal with the scenario where a maven module produces several types of output, for example both a 'regular' jar (with regular dependencies) and a 'fat' jar (with some of the dependencies …
-
#948 is able to make vulnerability to sbom correlations (and back) based only on the component names mentioned in advisories. The next step is to use graph analysis to try and find purls for these com…
-
[Issue28](https://github.com/oasis-tcs/osim/issues/28) proposes we have a place to start defining terms.
[Issue29](https://github.com/oasis-tcs/osim/issues/29) proposes to define the term "software …