-
Introduce VEX Support to DejaCode
- enhance data model to support a Product VEX List
- provide Export capabilities to product VEX documents that comply with industry-recognized formats
Here are…
-
We could document how one can use a SPDX SBOM, e.g. produced by FOSSology or another tool, and use this as a basis to add REUSE information to the covered file.
As modern SBOMs are often JSON, it s…
-
There are a couple EU laws coming, that require users to gather information of all their software dependencies in order to conduct cyber security assessments, and use this as part of managing their so…
-
SLSA offers:
- A common vocabulary to talk about software supply chain security
- A way to secure your incoming supply chain by evaluating the trustworthiness of the artifacts you consume
- An ac…
-
Composer should have a built in command to export an SBOM (Software Bill of Materials). Need to still work out what format(s) to support and what kind of options may be necessary to make this useful.
-
While most of Maven/Gradle projects are either a single module or multimodule projects producing binary artifacts from the same codebase repository, there are also projects whose modules are distribut…
-
**What happened**:
I'm trying to use grype to search for vulnerability for an embedded project using a SBOM file (using cycloneDX specification).I add an embedded components like freeRTOS, STM32L4 …
-
**Is your feature request related to a problem? Please describe.**
A clear unique identification (PURL) of each package/component is missing, but SBOM often includes several package types.
**Des…
-
**What happened**:
I am not seeing dependencies information on CycloneDX format json files even though they are present in other formats:
SPDX file snippet:
```json
"relationships": [
…
-
## Issue Description
As the Platform Product Team,
We need a better inventory of our tools, versions and features that are used,
So that we can better manage and report on what is used and how
Since …