flemminglau

I see syft producing usable Cyclonedx dependency information for image scans except from the tiny detail described here: https://github.com/DependencyTrack/dependency-track/issues/3314 I have tried manually adding the missing dependency between the root...

I had a hard time identifying the new option to use. I had to go and check the code changes made to identify the new option. The documentation does not...

It seems help (usage) is indeed available in the application when I specify the "assemble" keyword". Otherwise not. So not a huge point. My issue is that sbomasm produces CDX...

> to restrict the output sbom version Not sure I get your point here. It seems you are now able to define the SBOM version in the output. What I...

Sorry, my mistake. I see now that a new -e option can control the output format. I tested it and indeed I get an output accepted by the latest version...

Actually no. 2 points. 1. I don't want to start with a "master Application SBOM". The Application can easily be defined simply as the merged SBOM is created. This is...

My challenge here is that I do not have a good example of the desired output. I am not even sure if there is a way to get Dependency Track...

Actually this request is linked with https://github.com/spdx/spdx-spec/issues/875 I am wording it different but we are basically targeting the same general need for being able to express in the SPDX which...

Revisiting this maybe the functionality I am looking for is covered (or can be and should be) by the CycloneDX .components.type field. I.e. so that only type="library" are considered when...

I see your points but remember that I am limited by the tools available. I cannot simply (manually) inject or modify information into the SBOM files. That would be unworkable...