Puerco
Puerco
Enable build-time generation of SBOMs in java projects by integrating the maven and gradle parsers from the opensbom project https://github.com/chainguard-dev/melange/issues/140#tasklist-block-dae10634-83bc-4a53-ac3b-3674eb3c5039
Add support for build-time SBOM generation in python projects by integrating the pip parser from opensbom https://github.com/chainguard-dev/melange/issues/139#tasklist-block-9b4c2876-5a85-4d80-a073-6aff773d3b6f
### Enhancement Description - One-line enhancement description (can be used as a release note): SLSA compliance for the Kubernetes release process - Kubernetes Enhancement Proposal: - Discussion Link: - Primary...
This PR adds autodiscovery capabilities to the VEX processor when scanning container images. The discovery feature is disabled by default, this PR proposes a new `--vex-autodiscover` flag that starts the...
While checking a bug in an implementation I think I found a bug in the JSON schema which may be already widespread. The [License information in file field](https://spdx.github.io/spdx-spec/v2.3/file-information/#86-license-information-in-file-field) in the...
This commit introduces a new `media_type` optional qualifier available to `oci`-typed purls to express the type of OCI object they are identifying (image, manifest, layout, layer, etc). Example purl identifying...
### Current Issue: When apko finds an SBOM inside of an apk describing it, it will import the data from the apk SBOM and compose it in the right place...
### Current Issue: When traversing the SBOM relationships graph, apko could potentially import a complete complex SBOM, even if it describes other elements than the apk we are looking for...
When composing SBOMs, we should have a mechanism to limit the relationship types apko considers in SBOMs it opens to enrich the image SBOM. There may be some relationships that...
We should add vex filtering capabilities to [OSV Scanner](https://github.com/google/osv-scanner)