Tern is a software composition analysis tool and Python library that generates a Software Bill of Materials for container images and Dockerfiles. The SBOM that Tern generates will give you a layer-by-layer view of what's inside your container in a variety of formats including human-readable, JSON, HTML, SPDX and more.
BSD 2-Clause "Simplified" License
960
stars
188
forks
source link
Add purl information to SPDX reports when available #1206
A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programing languages, package managers, packaging conventions, tools, APIs and databases.
Tern's SPDX documents are more consumable and interoperable with other tooling if purls are available for the packages.
ivanayov
commented
1 year ago
A purl is a URL string used to identify and locate a software package in a mostly universal and uniform way across programing languages, package managers, packaging conventions, tools, APIs and databases.
Tern's SPDX documents are more consumable and interoperable with other tooling if purls are available for the packages.
SPDX supports the inclusion of purls as a
PACKAGE-MANAGERcategory of ExternalReference for a package. See https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-reference-field and https://spdx.github.io/spdx-spec/v2.3/external-repository-identifiers/#f35-purl.