-
We need a automated method for evaluation "completeness" of SBOMs which can be incorporated into a pipeline.
The following tools have quality checks:
- [sbomqs](https://github.com/interlynk-io/sb…
-
@yashlamba @sakshamarora1 and I talked about this last night in relation to @builtree
- https://patterns.innersourcecommons.org/
- https://intel.github.io/dffml/main/examples/innersource/index.htm…
-
**What would you like to be added**:
Support tracking the full dependency graph for packages in the form of relationships, for the ecosystems that support extracting this information.
**Why is thi…
-
Hei!
I just came across the following blog post by John Mark.
https://aint.johnmark.org/2024/01/07/the-open-source-supply-chain-was-always-broken/
There, he proposes something which I think i…
-
Currently, Argo CD uses `ubuntu:21.10` as a base image.
Should an attacker gain access to the container they'll have a shell to use. They'll also have access to the Kubernetes API. Currently, they …
-
A container of the new version v0.1.8 does not start up on OpenShift.
The container is used as part of a GitLab pipeline (hence within a runner), however on container startup the application fails…
-
### What is it?
How do we get all the dependency data and link it to projects?
-
Just a heads up SLSA 1.0 is currently out as a release candidate and will be going live in probably end of March 2023.
Would buildkit be interested in supporting the new spec? I can't help with th…
-
## Description
Currently, the `sbomqs score` command supports specifying multiple features with commas, such as:
`$ sbomqs score --feature comp_with_name,comp_with_uniq_ids,sbom_authors,sbom_creat…
-
The `yarn install` command has the [`--frozen-lockfile`](https://classic.yarnpkg.com/lang/en/docs/cli/install/#toc-yarn-install-frozen-lockfile) flag that is supposed to fail if an update is needed to…