surendrapathak
commented
1 year ago Thanks for the feedback @sschuberth . Let us evaluate this and get back to you.
Open sschuberth opened 1 year ago
surendrapathak
commented
1 year ago Thanks for the feedback @sschuberth . Let us evaluate this and get back to you.
Is your feature request related to a problem? Please describe.
Mostly, an auto-generated SBOM can only be as good as the metadata provided the project / packages. As such it might be unfair to compare tools solely based on their SBOM quality scores as they're not necessarily being run on the same packages.
Describe the solution you'd like
For a given project / package, it should be possible to list all the SBOMs and their scores for the respective tools. That way one can quickly see which tool is providing the best SBOM for a given fixed input.
Describe alternatives you've considered
Another way to emphasize that a plain quality score based comparison might be unfair would be to clearly show for each tool which package managers / build systems / ecosystems it supports. Users might prefer a single slightly "worse" polyglot tool over multiple "better" specialized tools for usage simplicity.
Additional context
Looking at https://sbombenchmark.dev/, it currently seems like "som4python" would be the best overall tool, but as the name suggests it's for Python projects only, and from a user perspective it makes little sense to directly compare this to container-only tools like "Syft".