I am considering the possibility of utilizing the osv-scanner as a replacement for cdxgen within Flawfind. The rationale behind this exploration stems from several factors:
Size Efficiency: osv-scanner is notably smaller compared to cdxgen, potentially resulting in a more lightweight and streamlined integration.
Process Integration: Using osv-scanner could eliminate the necessity to execute a separate command, allowing for all processes to be contained within the same Go process. This could enhance efficiency and simplify the overall architecture.
Investigate sbom Generation: However, it is imperative to investigate whether osv-scanner supports the generation of Software Bill of Materials (SBOMs) from both containers and host systems. This aspect requires thorough exploration to ascertain compatibility and functionality.
I am considering the possibility of utilizing the osv-scanner as a replacement for cdxgen within Flawfind. The rationale behind this exploration stems from several factors: