sbomgr
sbomgr copied to clipboard
interlynk-io
SBOM Grep - search through SBOMs
Bumps [sigs.k8s.io/release-utils](https://github.com/kubernetes-sigs/release-utils) from 0.8.1 to 0.8.2. Release notes Sourced from sigs.k8s.io/release-utils's releases. v0.8.2 What's Changed bump golangci-lint / zeitgeist / cosign and dependencies by @cpanato in kubernetes-sigs/release-utils#103 Full Changelog: https://github.com/kubernetes-sigs/release-utils/compare/v0.8.1...v0.8.2...
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot] avatar"){kind=avatar}
Bumps google.golang.org/protobuf from 1.28.0 to 1.33.0. [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- Dependabot commands...
Bumps [github.com/google/uuid](https://github.com/google/uuid) from 1.5.0 to 1.6.0. Release notes Sourced from github.com/google/uuid's releases. v1.6.0 1.6.0 (2024-01-16) Features add Max UUID constant (#149) (c58770e) Bug Fixes fix typo in version 7 uuid...
Looks like the release action has failed to publish binaries with the release
github.com/CycloneDX/[email protected] introduces compatibility issue with 1.4 compatible code
As of today, sbomgr uses all available cpu's for searching. You can limit it via export GOMAXPROCS=1. Ideal case would be to have a flag to control the number of...
For the SBOM here - https://sbomlc.s3.amazonaws.com/sbom4python-0.8.0_paramiko-3.1.0.spdx.tv?AWSAccessKeyId=AKIA2ZBFUJ4NNQGYD5OF&Signature=eyV1wX%2F%2Beg2TaXQTS5UQxE%2FpRd4%3D&Expires=1711592216 ``` sbomgr packages -EP 'pypi/cryptography' -O 'filen,docn,docv,pkgn,pkgv' ../sbomlc/sbom4python-0.8.0_paramiko-3.1.0.spdx.tv ../sbomlc/sbom4python-0.8.0_paramiko-3.1.0.spdx.tv Python-paramiko http://spdx.org/spdxdocs/Python-paramiko-f7ea4f38-99df-4880-87d8-ab4d19b9f707 cryptography 40.0.1 ``` docv results in blank. However, we have two signals that...
When searching packages, if the package is the primary component, we should indicate it as such. ```sh ➜ sbomqs git:(refactor/scoring) ✗ sbomgr packages -O 'depth,pkgn,pkgv' samples/sbomqs.syft-cyclone.json ../sbomqs 1 github.com/CycloneDX/cyclonedx-go v0.7.0...
A common ask is to search only direct dependencies. i.e packages directly attached to the primary package. This should be supported by a flag called '--direct-dep'
Bumps [github.com/CycloneDX/cyclonedx-go](https://github.com/CycloneDX/cyclonedx-go) from 0.8.0 to 0.9.0. Release notes Sourced from github.com/CycloneDX/cyclonedx-go's releases. v0.9.0 Changelog Features 729c284798ebe341ced210b661362f77d68cd655: feat: Add CycloneDX 1.6 fields swhid and omniborId (@snyk-tim) b5d35959767efce95f50e96bf752c47fbe374496: feat: add manufacturer and...