-
## MENTOR
@decause-gov
## BRIEF DESCRIPTION
Code.gov is the canonical source of truth for federal open source code respositories. The Website lists an Index for such purposes, and has a process for i…
-
This is really not an issue specific to this tool but in case the tool was to implement a way of doing this it would be a great contribution to the versatility of both CDX and SPDX files.
We have t…
-
in https://github.com/CycloneDX/bom-examples/tree/master/VEX/CISA-Use-Cases/Case-7 boms do not contain version of the software, but vex file affects sections contain versions or version ranges (i.e. h…
-
Composer should have a built in command to export an SBOM (Software Bill of Materials). Need to still work out what format(s) to support and what kind of options may be necessary to make this useful.
-
Currently when you run `cve-bin-tool $directory` it will pick up the following:
1. Binary files which are scanned with our binary checkers
2. Files that the language parsers understand (e.g. go.mo…
-
## Assessments results on discrepancy of SBOM ecosystem and some suggestions
### Background
As SBOM can be widely used in software software chain management, the capability and issues within S…
-
A container of the new version v0.1.8 does not start up on OpenShift.
The container is used as part of a GitLab pipeline (hence within a runner), however on container startup the application fails…
-
### Ticket Contents
## Description
This has two aspects, the first one being more high level information such as the lines of code, contributors, dependencies, repositories, commits. An automate…
-
**Is your feature request related to a problem? Please describe.**
Past problems, including the
log4j vulnerability Log4Shell, have made it abundantly clear to many people that it's important
to …
-
`2.2 SBOM creation is automated and reproducible` means the SBOM must be reproducible, a good requirement for lvl2 and lvl3.
`2.7 SBOM is timestamped` requires a timestamp for every level.
Timest…