Patrick Dwyer
Patrick Dwyer
Having looked into this issue https://github.com/CycloneDX/cyclonedx-dotnet/issues/399, I've come to the conclusion that the _only_ way to achieve real accuracy is to generate the BOM from within the msbuild process. This...
For some integrity use cases it would be beneficial to include the files, and hashes, that are brought in by nuget packages.
Once https://github.com/CycloneDX/cyclonedx-dotnet-library/issues/30 has been implemented validation should be added to this tool.
This probably depends on #174 being resolved first. This would enable users of this implementation to verify what has been published to nuget matches the relevant commit tag.
When a project file is specified relevant metadata should be included in the BOM. And as a base minimum tool information should be included regardless.
This applies to all versions of the protobuf spec
Suggestion to include guidance on tracking the components in your base image, and your own bundled software, as part of D02. There are tools like Anchore Syft that can generate...
The first time a serial number is published a publishing key should be optionally generated. Intention is to support a public BOM repo server and provide a simple mechanism with...
We should add support for configurable webhooks. This would support a lot of automation use cases. First version would just be a BOM or BOM version has been uploaded. With...