cdxgen
cdxgen copied to clipboard
CycloneDX
Creates CycloneDX Bill of Materials (BOM) for your projects from source and container images. Supports many languages and package managers. Integrate in your CI/CD pipeline with automatic submission t...
Node.js seems to be getting native [support](https://github.com/nodejs/node/commit/036b1fd66d8e18091c826e644aef872aee92ffcc) for proxies. Perhaps, we can make global-agent an optional [dependency](https://github.com/CycloneDX/cdxgen/blob/8c234b3e87d18335704d6d2007c8ec1ccb9b5326/package.json#L92), once it works well with got? We can also add support for default...
Our Sea binaries [bundle](https://github.com/CycloneDX/cdxgen/blob/master/.github/workflows/binary-builds.yml) and include a version of Node.js at release time. This makes us inherit any Node.js CVEs from upstream. We can generate and offer a no-node version...
mill has just been released and it has been completely changed from the version we implemented some time back. We should update our implementation to be able to support the...
I have some questions about generating BOM files with CDXGEN in PNPM monorepo environment. Dependency-Track v4.10.1 pnpm workspace (monorepo) * apps * web * node_modules * package.json * packages *...
It would be good to be able to build pre-releases, eg to test changes to our release-workflow. @jkowalleck gave us this information to get us started: > For npmjs.org registry,...
For code readability and maintainability, it would be good to refactor some of the larger files into smaller, language or manager specific modules
We should refactor our repo and split some of our huge source files into smaller chunks. One idea would be to split the code on the language and/or tool they...
During a random check, I noticed that several of our repotests are generating empty SBOMs. We should check ALL of our tests to see if and why they are not...
It would be really cool to be able to also add plugins to the SBOM, eg maven- and gradle-plugins, seeing how these actually influence your build and could potentially also...
Tycho-projects are built using Maven, but since it has a complete own lifecycle, the normal Maven solution don't work for getting dependencies. It seems Tycho did implement some way to...