cyclonedx-gomod
cyclonedx-gomod copied to clipboard
CycloneDX
Creates CycloneDX Software Bill of Materials (SBOM) from Go modules
Bumps [goreleaser/goreleaser-action](https://github.com/goreleaser/goreleaser-action) from 3.0.0 to 3.1.0. Release notes Sourced from goreleaser/goreleaser-action's releases. v3.1.0 What's Changed fix: dist resolution from config file by @crazy-max (#369) ci: fix workflow by @crazy-max (#357)...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
Bumps [github.com/rs/zerolog](https://github.com/rs/zerolog) from 1.27.0 to 1.28.0. Commits d894f12 pass program counter to CallerMarshalFunc (#457) 4099072 Support extra arbitrary data at the end of console log (#416) 4c85986 Unixnano time format...
Bumps golang from 1.18.5-alpine3.16 to 1.19.0-alpine3.16. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a...
At the moment all main components in SBOMs generated with `app` and `bin` share the same PURL. For example, the SBOM for a binary compiled for `windows/amd64` will have the...
We're currently only capturing the Go version in `app` and `mod`. Ideally we would also include info about the Go compiler, like hashes of `go` and most likely more. We'll...
The Go standard library is vendoring a small selection of modules in such a way that they don't interfere with other versions of those modules in the module graph, see...
`go version -m` can't currently deal with macOS [universal binaries](https://www.jviotti.com/2021/07/23/a-deep-dive-on-macos-universal-binaries.html). However, with Go 1.18, we will get the necessary tools to implement support for them ourselves, using `buildinfo.Read(io.ReaderAt)`. Also, Go...
We don't currently scan the files of a module for licenses. As pointed out in the article below however, it is totally possible that some files are licensed differently than...
`go mod graph` apparently isn't really intended for generating an accurate dependency graph (that is, differentiating between direct and transitive dependencies). This becomes painfully obvious when running that command on...
https://circleci.com/docs/2.0/env-vars/#built-in-environment-variables https://docs.drone.io/pipeline/environment/reference/ https://docs.github.com/en/actions/reference/environment-variables#default-environment-variables https://docs.gitlab.com/ee/ci/variables/predefined_variables.html https://wiki.jenkins.io/display/JENKINS/Building+a+software+project#Buildingasoftwareproject-belowJenkinsSetEnvironmentVariables https://docs.travis-ci.com/user/environment-variables/#default-environment-variables