Open viveksahu26 opened 1 month ago
mattfarina
commented
1 month ago @viveksahu26 this is a library that has no dependencies (other than the Go standard library). There is no binary output (only the source).
What is the use case for this library providing an SBOM? In what formats and to what locations should an SBOM be provided?
viveksahu26
commented
1 month ago yeah, AFAIK, all the sbom generating tool from source/build phase for golang projects looks for go.mod file for dependencies i.e require directive. And since this project has no external dependencies therefore no require directive. As a result sbom tool can't generate it's sbom. But let me go more through that whether is it possible to generate sbom or not. And will get back to you.
I've noticed that this project currently does not generate a Software Bill of Materials (SBOM). An SBOM is a critical document for tracking software dependencies, ensuring compliance, and enhancing security. It is increasingly important for understanding what components are included in a software release, particularly as supply chain security becomes more vital.
There are several tools for generating SBOM for different types such as: