Open cdacshubhambhingarde opened 11 months ago
@cdacshubhambhingarde, in my personal opinion, hash-based comparisons are unreliable and less likely to work. cdxgen addresses this problem in two ways:
-t maven-cache
would generate an SBoM for all jars in the maven cache, along with the class names in each jars.I hope this helps!
is it possible to integrate the authentication of components in the upcoming version of cdxgen?
@Shubham-Bhingarde, let me think about this. We need a database with the source of truth to make this work.
We are seeking a solution to determine
how to authenticate the libraries/components pulled from trusted sources in a Java project
. In our Java project, we have utilized Maven repositories, and we are now attempting to verify whether developers have obtained these components from authenticated sources.Currently, the solution we are using involves the following steps:
If there is a solution available for generating a Bill of Materials (BOM) that can authenticate the components used from Open Source Software (OSS).
This could help in resolving any tampered components used in the project and ensure a smooth Software Development Life Cycle (SDLC).