-
Currently there are are [SBOM](https://github.com/CycloneDX/bom-examples/tree/master/SBOM) CycloneDX examples of version
-
See https://github.com/CycloneDX/bom-examples/tree/master/VEX.
VEX and SBOM should be separate from each other.
-
### Current Behavior
In our Production environment we have observed that alerts for vulnerabilities are being triggered based on outdated versions of dependencies that have already been patched. Thes…
-
Add support for sbomqs to read sboms present in the url.
-
Some Maven libraries publish shaded artifacts that contain many if not all their dependencies.
Since it is impossible to guess which artifacts were shaded from the POM file alone, the CycloneDX plu…
-
**What happened**:
When running `syft` against a project using Swift Package Manager and a version 3 Package.resolved file, an error occured (`error=unknown swift package manager version, 3.000000 …
-
### Current Behavior:
(1) PUT /v1/component/project/{uuid} method does not give you token to know if the component is being processed or not.
(2) GET /v1/vulnerability/component/{uuid} method retur…
-
### Proposal
We run prometheus in our FedRAMP environment and use various container scanning tools like ECR, trivy/clair, and snyk to scan containers for vulnerabilities. These tools have trouble or …
-
## Assessments results on discrepancy of SBOM ecosystem and some suggestions
### Background
As SBOM can be widely used in software software chain management, the capability and issues within S…
-
As part of the US national cybersecurity executive order, there are certain security practices that organizations need to enforce. One such is the Software Bill of Materials (SBOM) as detailed in sect…