search

DependencyTrack / dependency-track

Dependency-Track is an intelligent Component Analysis platform that allows organizations to identify and reduce risk in the software supply chain.
https://dependencytrack.org/
Apache License 2.0
2.69k stars 578 forks source link

Change analysis for SBOMs #1221

Open artem-smotrakov opened 3 years ago

artem-smotrakov commented 3 years ago

Hey! First of all, I'd like to thank you all for developing such a great project!

It would be great if Dependency Track could display difference between two SBOMs. That would help analysing changes between versions of a project. At first, Dependency Track could display basic diffs for components and services, for example, what was added/removed, what versions/URLs were updated.

I've looked for existing open/closed issues but didn't find anything. What do you think about it? Are you willing to accept this contribution?

Current Behavior:

Dependency Track can't show difference between two SBOMs.

Proposed Behavior:

stevespringett commented 3 years ago

That would be a useful enhancement. The CycloneDX CLI supports diff between SBOMs. DT currently doesn't keep SBOMs after they're consumed. This is being discussed in #877.