anthonyharrison

@JR-Carroll Can you retry with a clean install of sbom4python (and ensure that the latest version of lib4sbom is used (0.8.1)) and see if there has been an improvement to...

@maurerle Only the depedenceies included in the file will be included. These are typically only the direct dependencies. Using pip-compile can be used will generate a more complete list of...

Thanks for the suggestion.

What you need is a tool which ingests SBOMs of either format (SPDX and CycloneDX) and then start analysing the SBOMs to look at all of the components. I might...

I am aware. I have played with it earlier this year, but the tooling was still immature. SPDX3 is very different to SPDX2. It is on the roadmap but I...

@rossburton I believe the yocto project already supports SPDX v3 as it is the early adopter for SPDX3. The supporting libraries for generating or parsing SPDX 3 were still under...

Updating a VEX statement is much more than just changing the status value. The data associated with the vulnerability will be dependent on the updated status as well as the...

Ho @AshishYesale7 cc @terriko Thanks for your ideas. We don't want your ideas/proposal published on GitHub. The application process is not yet open but I suggest you find the project...

Can you provide a copy of the command line you used? And if an SBOM is provided, can you also provide this? As @ffontaine identifies, it looks like you have...

@joydeep049 I think there were some format changes and some parameter names changed. I would suggest you get 20 records from each version and compare them to find the differences....