-
In a multi project gradle setup, the dependencies section has multiple blocks with the same root project ref, with different contents in the dependsOn array for each, pertaining to the sub-projects.
…
-
I have a project where sources are licensed under the `GPL-3.0-or-later` but documentation is generally licensed under `CC-BY-SA-4.0`. Some of that documentation is inline in the source files and a to…
-
**Is your feature request related to a problem? Please describe.**
Start docs aimed towards tool writers to create their own SLSA 3 builder.
Some notable items and example we should provide:
* An…
-
Hi!
I have an idea that would make trivy scans faster in my pipelines.
## Use case
I'm not sure if this is a common use case, so I appreciate feedback from other users here.
Currently when…
-
Duplicate components are not captured separately in deep merge and due to this traceability is missing as it's consolidated in single component.
-
Hi Team,
Is there anything that can be done to introspect the built images. I was interested to check if existing SBOM tools & CVE scanners can derive some insights from the images generated via nix2…
-
There's no clear definition about what's an **artifact**, although the meaning can be found when reading the specification. It's nevertheless meaningful having a clear [definition](https://github.com/…
-
**Description**
When running the SBOM-tool on a project that is Python based and has requirements that either have square brackets or minimum/maximum version numbers given, receiving the data comes…
-
Here is a set of pages that throw 404 errors that need updating:
```
jq '.checked [] | select(.status == 404) | {(.url.Path): {"pages":(.parents |keys)}}' links.json
{
"rekor/how-to-sign-and-u…
-
The SPDX 3.0 discussions have included questions being raised about whether CC0-1.0 should be retained as the mandatory `DataLicense` field for SPDX documents.
The SPDX legal team is gathering deta…