guac icon indicating copy to clipboard operation
guac copied to clipboard

Published 20 hours ago verified publisher icon guacsec

Try out SBOMs/SLSA/Scorecard documents from more sources

Open lumjjb opened this issue 3 years ago • 2 comments

We've currently only tried our parser on outputs from Syft and SLSA of the k8s community. We encourage folks to try out new sources and different documents, the findings can be reported at https://github.com/guacsec/guac/issues/169 - also let us know which ones work well!

lumjjb avatar Oct 25 '22 17:10 lumjjb

Is there a template to respond to this issue? I have tried sbom (format cyclonedx) into the tool it upload the nodes but not the root package and there is no associations. Do you want to limit your tool to OCI images & container? I think there is a lot of added value to have various language/ tools supported.

tixu avatar Oct 31 '22 08:10 tixu

Hey @tixu. Issue #169 does have a format defied that you can follow if you are having issues with the specific SBOM. https://github.com/guacsec/guac/issues/184 is related as we are currently using heuristics to parse the root package (in the case of an image). We will be increasing support for more artifacts in the near future.

pxp928 avatar Oct 31 '22 20:10 pxp928