Niklas
Niklas
### Current Behavior: As identified in #1727, there may be multiple fields of CycloneDX BOMs that we currently don't ingest or display. ### Proposed Behavior: Assess DT's coverage of CycloneDX...
### Current Behavior: Alerts / notifications sent via Webhook are neither authenticated nor signed in any way. This makes it hard for receiving parties to verify whether a given notification...
We currently support multiple sources of vulnerability intelligence, among them the NVD, OSS Index, GHSA and VulnDB. In some cases, we perform the actual vulnerability scanning (e.g. NVD, GHSA), in...
I came across the guava vulnerability GHSA-5mg8-w23w-74h3 for which GHSA declares the affected version range as `
I'm using the CLI to ensure that `cyclonedx-go` and `cyclonedx-gomod` produce valid BOMs. While implementing support for spec v1.4 in `cyclonedx-go`, I noticed that some JSON BOMs fail to validate...
The CLI should support diffing component hashes. This would allow for very basic integrity checks. Not sure if it'd be relevant to the user if hashes have been added or...
When working with dependencies, it's important to understand how they're introduced. Since CycloneDX 1.2, dependency graphs are part of the core spec. For previous spec versions, there is a [dependency...
At the moment all main components in SBOMs generated with `app` and `bin` share the same PURL. For example, the SBOM for a binary compiled for `windows/amd64` will have the...
We're currently only capturing the Go version in `app` and `mod`. Ideally we would also include info about the Go compiler, like hashes of `go` and most likely more. We'll...
The Go standard library is vendoring a small selection of modules in such a way that they don't interfere with other versions of those modules in the module graph, see...