-
### Description
Normally `scancode` is quite predictable in its memory use. It sits around 1GB per process used (`--processes`), the absolute majority of the memory being occupied by the rule index…
-
Opening this issue to discuss and collect feedback on what areas of Guac need improved documentation. Feel free to comment with any shortcomings you've encountered in the documentation.
Some possi…
-
Currently Ghidra uses full license text in all files, while a lof ot FOSS and proprietary software standardized the license and copyright information in the form of more succinct [SPDX](https://spdx.o…
-
v0.3.0 does not add the hashes for the components (ie the dependent jars).
Examples can be seen in https://github.com/CycloneDX/bom-examples/blob/master/SBOM/dropwizard-1.3.15/bom.xml -- I'm not su…
-
```
$ cosign attach -h
Provides utilities for attaching artifacts to other artifacts in a registry
Usage:
cosign attach [command]
Available Commands:
attestation Attach attestation t…
-
Hei!
I just came across the following blog post by John Mark.
https://aint.johnmark.org/2024/01/07/the-open-source-supply-chain-was-always-broken/
There, he proposes something which I think i…
-
Rust binaries can statically link to native libraries generated by build scripts. These libraries should be included in the SBOM.
`cargo build` JSON messages can show what libraries are linked (via…
tofay updated
3 months ago
-
The specs (incl 1.4) are unclear about whether it is mandatory or optional to use base64 encoding for license text's "content".
The fact the doc for "encoding" states it "must be one of"... "base6…
-
OCI has done a fair bit of work on defining a new referrers API that is used to associate metadata like SBOMs, signatures, and VEX to container images. The key piece of data needed to lookup that meta…
-
**What happened**:
I am not seeing dependencies information on CycloneDX format json files even though they are present in other formats:
SPDX file snippet:
```json
"relationships": [
…