anthonyharrison
anthonyharrison
### Description Latest version of cve 3.3.1(dev) is resulting in far fewer vulnerabilities being reported during an SBOM scan. This appears to be due to changes in the sbom_manager parse_sbom...
Following on from #41 the SPDX and CycloneDX generators need to handle multiple licences for a component.
I really like the idea but to avoid repeated calls of the API for every product I would like data on, I would like to be maintain a local copy...
### Description Some of the entries in the NVD now include CVSS v4 data. This should be used as the primary scoring metric if available. The Common Vulnerability Scoring System...
The retrieval of additional package metadata in `_create_package` needs to be version specific ` self.package_metadata.get_package(package)`
Currently sbom4python extracts metadata from the Python package manager (pip). A useful enhancement would be to extract information from a pyinstaller archive file.
Whilst the `requirements.txt` file is often used to capture module dependencies, it would be good to capture dependencies from other sources such as `setup.py` and `pyproject.toml` files.
See https://github.com/anthonyharrison/lib4sbom/issues/49 Confirm that license for a module is reported ragardless of installation/packaging approach
Add additional checks to identify when a file component is updated by checking for a checksum value change.
Upgrade license data to latest list - [SPDX License List](https://github.com/spdx/license-list-data/releases/tag/v3.25.0)