For those not very familiar with SBOMS, can you add a section to the README suggesting tools (free hopefully) that the users can use to look at/review the generated SBOM? Or maybe point to a free resource with suggested tools, and how to use SBOMs to help manage/improve the security of an analyzed project?
A minor issue, but I see the tool outputs this: jbom-jbom-1.2.1.json when run against itself. If this file is an SBOM, would a better name for the output file be: SBOM-file_analyzed.json or something like that? (Maybe: jbom-SBOM-file_analyzed.json?). As an example, the cyclonedx plugin generates a file like this for antisamy: antisamy-1.7.2-cyclonedx.json. Maybe that filename format should be adopted.
planetlevel
commented
1 year ago
For those not very familiar with SBOMS, can you add a section to the README suggesting tools (free hopefully) that the users can use to look at/review the generated SBOM? Or maybe point to a free resource with suggested tools, and how to use SBOMs to help manage/improve the security of an analyzed project?
A minor issue, but I see the tool outputs this: jbom-jbom-1.2.1.json when run against itself. If this file is an SBOM, would a better name for the output file be: SBOM-file_analyzed.json or something like that? (Maybe: jbom-SBOM-file_analyzed.json?). As an example, the cyclonedx plugin generates a file like this for antisamy: antisamy-1.7.2-cyclonedx.json. Maybe that filename format should be adopted.