search

anchore / syft

CLI tool and library for generating a Software Bill of Materials from container images and filesystems
Apache License 2.0
5.73k stars 526 forks source link

No Supplier for each component within SBOM #2993

Open merlin-uk opened 3 days ago

merlin-uk commented 3 days ago

What would you like to be added: Please add "Supplier" to each component. Why is this needed: The Supplier is needed to make SBOM valid. Additional context:

kzantow commented 3 days ago

The Supplier is needed to make SBOM valid.

This is not required to make a valid SBOM. It is required for NTIA minimum elements.

The challenge we have here is that we simply don't have supplier information present in the scan target for everything. However, we are including supplier, in many cases if we found this information.

Is there something else you are looking for? Could you provide more information: what package ecosystem, what output format, sample images you expect to have suppliers, etc.?