Define the data spec for SBOM

goharbor / pluggable-scanner-spec

Open API spec definition for the scanners that can be plugged into Harbor to do artifact scanning.

Apache License 2.0

20 stars 11 forks source link

Define the data spec for SBOM #10

Open steven-zou opened 2 years ago

steven-zou commented 2 years ago

Maybe adopting the standard https://spdx.org/ is enough.

steven-zou commented 2 years ago

Much more reference here: https://info.aquasec.com/gartner-sbom?_hsmi=209852081&_hsenc=p2ANqtz-9VQ2cCqfDtVMLi7sS4DSIm52pp_qTSFxKMU35x_Oe4Aw8NkZCnYp657861WmvP13-A3wfFr95HEwEa9X9N901YEPk6GA

prabhu commented 1 year ago

Consider adopting CycloneDX standard for both SBOM and vulnerabilities. As a bonus, results from advanced analysis, such as reachability, can be represented as evidence, thus reducing the integration effort involved.