-
Add new commands for various component types
Add a command to print the provides tree
-
### Current Behavior
Dependency-Track v4.9 implemented support for the import of BOMs that are CycloneDX 1.5 or below. See #2850
CycloneDX 1.6 will be released before the end of March 2024, or …
-
This issue is to collect and track the use cases from the CycloneDX CBOM WG. Big thanks to all WG contributors for the feedback and the use cases!
- [x] Discovering weak algorithms
-> by querying …
bhess updated
7 months ago
-
As discussed with @n1ckl0sk0rtge, an interesting addition to CBOM is to be able to track algorithm-specific parameters and their specification.
Example:
- NIST PQC candidates come with a pdf speci…
bhess updated
7 months ago
-
Using enums in the CBOM schema limits extensibility, an alternative is to use urns.
References:
- https://github.com/OWASP/Software-Component-Verification-Standard
- https://github.com/OWASP/Soft…
bhess updated
7 months ago
-
The documentation for 1.5-cbom-1.1 contains a proposal regarding package URLs for crypto-assets. Since crypto-assets are generally not a specific implementation that can't be linked to a specific obje…
-
`cryptoProperties` (v1.1) -> `algorithmProperties` -> `curve` is proposed as an enum. This would require an update to the CBOM schema for every new curve. Why not just use OIDs?
I went over the pro…
-
Fantastic work on CBOM. I really like how the spec has captured a lot of this data in a way that interoperates with CycloneDX.
The CycloneDX Core Working Group is busy on v1.5 of the spec to be rel…
-
The "Dependencies" section of README.md contains a small typo. Line 246 specifies
`A crypto asset A is considered as 'used' by component C if there is a `used` dependency path from C to A.`
This…
-
In 2.7. Software Discovery section, some information needs to be discovered by software.
How to discover the information by software?
Should we record them into specified registers?
Or, should SW…