-
## Description
Syft offers the following two flags which could be useful for populating metadata on how an SBOM was generated
```
--source-name string set the name of…
-
From https://downloads.scylladb.com/downloads/scylla-enterprise/sbom/scylladb-2024.1/scylladb_sbom_report_2024.1.4.csv :
```
type name version licenses
library scylla-tools 2024.1.4-0.20240428.6…
-
In this case, the SPDX spec itself is silent on if it should be upper or lower case (or if either is acceptable, though the example provided is lower case), but the [SPDX 2.3.1 JSON schema](https://gi…
-
Hi Cyclonedx Team,
Is there any way to scan the Tycho dependencies using cyclonedx-maven-plugin?.
I found that [syft ](https://github.com/anchore/syft) tool can generate cyclonedx format but i…
-
## abstract
Since osv-scanner cannot support dnf package manager(https://github.com/google/osv-scanner/issues/999), and we are informed that osv-scanner can take output from syft (https://github.co…
-
from @ewels
Seeing more and more people ask about SBOM documents for pipelines / containers (software bill of materials). It looks like Trivy can generate SBOMs. Is this something that we could get …
-
Suggesting a plugin to display a CycloneDX Software Bill of Materials (SBOM) Composition Report. [CycloneDX](https://cyclonedx.org/use-cases/) is a commonly used standard across a number of [too…
-
SLSA offers:
- A common vocabulary to talk about software supply chain security
- A way to secure your incoming supply chain by evaluating the trustworthiness of the artifacts you consume
- An ac…
-
Hello :wave:
When publishing an image with the default parameters and `--image-refs=refs-file`, `ko` publishes an image for the SBOM in `KO_DOCKER_REPO`. However, this image is not included in the …
-
As I understand it, LIB4SBOM_CYCLONEDX_VERSION and LIB4SBOM_SPDX_VERSION can control SBOM version outputs through lib4sbom. In addition, it would be nice if distro2SBOM incorporated the ability to sp…