sbom-everywhere icon indicating copy to clipboard operation
sbom-everywhere copied to clipboard
verified publisher icon ossf

SBOM tools test suite

Open tsteenbe opened this issue 3 years ago • 1 comments

I would be useful to have a way to see the outputs produced of various SBOM tool so we can:

  • Compare accuracy (breadth of detection or completeness / fidelity / metdata included)
  • Compare semantics (each tool translates realty in code differently into a SBOM)
  • Compare component ids (each tool uses generates different package names/identifiers)

tsteenbe avatar Sep 28 '22 06:09 tsteenbe

@joshbressers as said in today Security Tooling meeting I am working on repository containing various package definition files (pom.xml, package.json, etc) which will be scanned using (FOSS) SBOM tools every 24 hours using GitHub actions.

My intent is that one can always compare latest state of the tools to make it easier to choice one that fits their business needs.

tsteenbe avatar Sep 28 '22 06:09 tsteenbe