anthonyharrison
anthonyharrison
[cve.txt](https://github.com/intel/cve-bin-tool/files/8758170/cve.txt). The SBOM contains all the direct dependencies (specified in the requirements.txt file) together with the implicit dependencies from the included files. There is no consistency between licence names (there...
@terriko Do you want to try [sbom4python ](https://pypi.org/project/sbom4python/)? It seems to work when I have tested it on cve-bin-tool.
Here are the results when I run the generated SBOM for cve-bin-tool through cve-bin-tool 
@terriko I am finding the SBOM journey fascinating as it is throwing up all sorts of interesting edge cases. I think we should publish the SBOM with every release as...
@terriko There are additional options in [pip](https://pip.pypa.io/en/latest/cli/pip_install/) to consider when upgrading the dependencies. ``` --upgrade-strategy Determines how dependency upgrading should be handled [default: only-if-needed]. “eager” - dependencies are upgraded regardless...
@Molkree I think this is a good idea but @terriko is already looking at how the tool can be made OSSF compliant. There are a number of features which aren't...
Hello @xiongnemo This project is loosely reserved for a paid contributor to be selected through the GSoC 2022 process. (open to anyone over 18 who's willing to put in either...
@rhythmrx9 You could look at [GitHub Advisories](https://github.com/advisories) and [Red Hat advisories](https://access.redhat.com/security) (and other vendors e.g. Debian) which I think are free to access. There are also some sources which require...
The new VEX feature (#1570) may also be worth considering as this offers facilities to support the triage process by using a JSON file. Maybe consider adding some tooling to...