Open hectorj2f opened 2 years ago
lili2311
commented
2 years ago hi @hectorj2f, thanks for you request, at the time of building this the spec for very much in progress and had missing/ undocumented fields so these are not present today. This repo has not been updated since, I am checking internally if there are any plans to evolve this projects and will share back your feedback.
hectorj2f
commented
2 years ago I am checking internally if there are any plans to evolve this projects and will share back your feedback.
Thanks @lili2311. That would help us to get some expectations.
lili2311
commented
2 years ago Hi @hectorj2f
This tool is a look ahead at the new vulnerability extension in the WIP SPDX v3 spec
We’re building out a new API for Snyk at the moment, and working on where this will utilise various emerging standards This will include issues from Snyk Open Source projects, where SPDX + the vulnerability extension is relevant We have have an API in the works for grabbing the dependency information in standard formats as well, starting with CycloneDX, but we’ll be adding support for SPDX as well
If you want to chat about this talk to your Snyk contact who can grab someone from the product team to talk more
hectorj2f
commented
2 years ago @lili2311 Thanks for the update. We are currently using this tool. We are definitely interested on any more stable service that could provide similar functionalities.
node -v:npm -v:snyk2spdx ..., ...)Expected behaviour
Please share expected behaviour. I would expect the rest of SPDX fields to be populated instead of only the vulnerabilities.
Actual behaviour
SPDX output only populates the vulnerabilities field of SPDX 3.0.