Alex Goodman

We support pURL today, but not SWID. pURLs are generated from any data discovered about a package, which is different for each ecosystem. For instance: - https://github.com/anchore/syft/blob/v0.19.1/syft/pkg/rpmdb_metadata.go#L49 - https://github.com/anchore/syft/blob/v0.19.1/syft/pkg/java_metadata.go#L54 -...

concept branch for part of a solution https://github.com/anchore/syft/compare/refactor-release (note, this branches from the install.sh work done previously, so needs to be rebased/cleaned-up when the install.sh PR lands) This splits up...

Good final state (summarizing from refinement conversation): - continually create a draft release from changes on the tip of main - draft releases would speculate the release version based on...

In between solution: Add a make target that facilitates cutting a release for someone. It would: - run chronicle in advance - showing the changelog + all misc. changes that...

Example of using syft as a lib today: https://gist.github.com/wagoodman/57ed59a6d57600c23913071b8470175b

From refinement: - Do we want to encapsulate the stereoscope primitives or not? Should not have to do `stereoscope.*` to interact with syft, even if the objects from stereoscope is...

**_Update: much of this has been addressed in https://github.com/anchore/syft/pull/864_** Also, I think we should distinguish scoped capabilities of syft vs the pure definitions needed to interop with primitives that syft...

A topic that was brought up by @westonsteimel and @luhring was how syft versions are expressed in SBOMs when using syft as a lib. Today we have a `internal/version` package...

> It would be ideal to not expose behavior (e.g. tasks) and instead expose declarations (e.g. cataloger configurations?) Today we have this function call at the top-level syft package: ```golang...

Next up: what kind of cataloger options are we looking for here? Short answer: functional options that mostly represent existing configuration options seem best fit, as this allows for flexibility,...