cve-bin-tool icon indicating copy to clipboard operation
cve-bin-tool copied to clipboard
verified publisher icon intel

SBOM dependency nuance

Open terriko opened this issue 4 years ago • 1 comments

More feedback from Intel's open source licensing folk relative to @anthonyharrison 's #1167

  • Current patch will give you a list of all package names/versions mentioned in an SBOM.
  • SBOMs can include things that aren't necessarily in the final package (e.g. build dependencies)
  • SBOM will have information on these relationships

We might want to distinguish these in the cve binary tool output in the future, or have options to scan only parts of the SBOM, to help users comply with whatever internal policies they have on who fixes/updates what.

terriko avatar Oct 13 '21 17:10 terriko

@terriko Agree SBOMs can contain a lot of information but cve-bin-tool only currently extracts the package names/versions. I can see how the relationships between components might be a useful addition in the future to provide enhanced reporting of dependencies although I think that may form part of a bigger change to look at dependency reporting in general.

anthonyharrison avatar Oct 24 '21 19:10 anthonyharrison