Whathecode
commented
1 month ago Any input on this? As we are approaching another round of needed SBOM output, I'd like to assess whether we should at all rely on this tool. Maybe @melotic ?
Open Whathecode opened 6 months ago
Whathecode
commented
1 month ago Any input on this? As we are approaching another round of needed SBOM output, I'd like to assess whether we should at all rely on this tool. Maybe @melotic ?
grvillic
commented
2 weeks ago Hi @Whathecode, for historical reasons these dependencies (framework / project) were being considered noisy by customers since they were related to the SDK itself not your app, this was indirectly triggering a ton of security alerts. That being said, after revisiting the problem and the importance of SBOM in the last few years, we concluded that we need to reintroduce all of these. This change should have happened downstream at report level based on customer needs, not at the detection level.
We need to tweak other processes downstream before shipping this but expect it to be released by end of October 2024.
I'm trying to generate an SBOM using
sbom-tool, which uses this package to find dependencies through NuGet configurations. I noticed that project references are missing.When running
component-detectionin isolation, I noticed that project references are also omitted in the output. Running a debugger, I can see that there is specific code to parse them, but, they get filtered out in finalNavigateAndRegister().What is the reason for this? This means that I won't see components used by these projects, which is a requirement for my SBOM output. This code was introduced in the "initial commit", so not much more information I can gather from git history.
When removing the early out for
|| library.Type == ProjectDependencyType, output seems to work fine. Except, the project references show up as "NuGet" references in theScanManifest, instead of "project" references. I.e., they have " - NuGet" appended to their name and version.