Closed riteshnoronha closed 1 week ago
Hey @riteshnoronha , few question related to above issue, as I don't have clear understanding of it:
sbom_with_creator_and_version
) are you talking about ? I am aware of rules or checks that were used for compliance report such as CRA. Or this is something different which I am unaware of ?We have found that sboms generated via api's in CDX 1.5 and above set the tool used to generate it in the metadata->Tools->Services section. In our current logic we only check Metadata->Tools->Tools and Metatdata->Tools->Components. Yes it impacts sbom_with_creator_and_version rule, so if we parse it correctly and save it in cdxDoc it should just work.
Its possible the creator and tool version could be present in the tools->services section for sboms created via api services.
sbom_with_creator_and_version rule should be modified to handle this. This is an CDX only thing.