Integration / alignment / comparison with other tools like CDXGen

[mkurzman]

Hi, it seems the development activities for https://github.com/CycloneDX/cdxgen were intensified in 2023 and ongoing. Is there a way to collaborate / align to use the benefits of CDXGen and join forces in cases where Package Managers or setup are not supported by the ORT analyzer yet? Marcel

[prabhu]

I would be happy to support this. Please also consider:

• blint - A new sbom and linting tool for binaries
• depscan - A nextgen SCA tool

[sschuberth]

Thanks @prabhu for your offer to help. I believe it would be beneficial to first understand more about the capabilities of the different tools, maybe also not limited to ORT and CDXGen.

Which brings me back to a long-standing wish of mine to have a service that takes some Git repository to analyze / scan, runs various SCA / SBOM tools on it, and compares the results.

Something like a Jenkins instance hosted by a "neutral" party would work for that, where we run jobs from Jenkinsfiles that are hosted in some Open Source repository that people can contribute to. Maybe we should reach out to Linux Foundation (ACT, OpenChain) or OWASP to check whether they would be willing to host such an instance.