Sergey "Shnatsel" Davidoff
Sergey "Shnatsel" Davidoff
Panic messages in the executable itself also leak this information. `strings target/release/importer | grep '/Users/bob/repos/trustification/'` will reveal it just as well. **The build path was never secret to begin with.**...
The ID currently includes filesystem path, so no. The SBOM should be possible to reproduce when run from a different filesystem path and/or on another machine. Therefore it should be...
There is a downside to exposing `packageurl::PackageUrl` in the public API: every time `packageurl` makes a semver-breaking release, we would have to make one too. Switching to another PURL crate...
There are several package URL crates in use already. I don't think it makes sense to enumerate every one in the documentation. I'd be happy to accept a PR adding...
I'm actually not convinced that adding CLI flags for this is a good idea. CycloneDX is a standardized format, so if you get a stable interface to interact with any...
> Write a script or program which takes the CycloneDX output and modifies it (adds the missing fields).
That property needs a fair bit of design work. We need to specify where it is legal for it to appear: on metadata only, or does it also appear on...
I've opened https://github.com/CycloneDX/cyclonedx-property-taxonomy/pull/78/ upstream. Once that's merged, this PR will need to be reworked to match that schema.
https://github.com/CycloneDX/cyclonedx-property-taxonomy/pull/78 is merged, so it would be nice to revive this.
Superseded by #762