anthonyharrison
anthonyharrison
@terriko I have just done an update (I am a few commits behind the latest branch) and looking at the epss file it looks like it has been updated. The...
@dfucci There is no industry standard convention for aligning SBOMs with VEX. Some of the VEX standards (e.g. CycloneDX) allow for SBOMs to be referenced whereas others don't (e.g. OpenVEX)....
@ffontaine I have now had a look at the purl2cpe database. As you have noticed, the purl's don't have any version information included which is very disappointing. Is there any...
@Dev-Voldemort There is a lot of activity in the purl/CPE space at the moment. I would be interested in understanding what your database would be doing noting that a 1-1...
@Dev-Voldemort I can see various discussions about GSOC and purls. Can I suggest you keep the discussions on the GSOC thread and not in lib4sbom. Lib4sbom is a SBOM generator/parser...
@angelwn Can you provide the full SBOM to see the full context as some of the elements don't seem to be correct according to the CycloneDX specification?
@nodet Extracted licensing information isn't handled which is why you can't find in in the parser or generator. Whilst the SPDX parser covers the majority of the options, it doesn't...
@nodet Thank you for the suggestion.
Parser updated [here](675b3817c769bfef67be68f8119468dfbec2b27c)
@jkowalleck Yes that was my original idea but it clearly isn't the intended use case. Maybe some of the call stack structure could be reused outside of the evidence object?