search

CERTCC / SBOM

Examples and proof-of-concept for Software Bill of Materials (SBOM) code & data
MIT License
57 stars 16 forks source link

SwiftBom tool #14

Closed Nikhil1819 closed 8 months ago

Nikhil1819 commented 2 years ago

Hi @sei-vsarvepalli I have tried to generate SBOM using the default example(ACME) on swiftbom and with the general npm package. I see the vulnerabilities list in CycloneDX XML format but I am unable to see it in CycloneDx json format.

sei-vsarvepalli commented 2 years ago

Hello @Nikhil1819

This is a known limitation of CycloneDX JSON format. You can check out. https://cyclonedx.org/use-cases/#vulnerability-disclosure

In JSON the option is to refer to a CPE, SWID tag that can be used to lookup (externally) the CVE that is considered "Known Vulnerability." In the other "Vulnerability Remediation" use case, you can use the package pedigree validation to announce and absorb a patch.

You can check out the all the use cases in CycloneDX site that will guide you about CycloneDX usage

https://cyclonedx.org/use-cases/