Ritesh Noronha
Ritesh Noronha
CISA has released a document, which proposes another way of assembling sboms for products. All the details are https://www.cisa.gov/resources-tools/resources/guidance-assembling-group-products We will add support for PLB sboms to sbom-asm in feb....
The user should be able to configure multiple projects in DT which can be assembled into a single project. The user can then request to store it back into DT...
We should be able to ingest in SPDX docs and output cyclonedx and vice versa. This will be a lossy conversion, we should clearly document data lost in translation.
Add ability to install and use sbomqs via apt-get and yum.
Surface component depth in all reporting formats.
https://github.com/goreleaser/goreleaser-example-supply-chain
In the multi vuln lookup rule, we check to see if a component has both CPE & PURL. Our thinking was the more the merrier for looking up the vuln...
Using brew directive, automate homebrew release via goreleaser.
Currently we check a components metadata for presence of licenses, however we do not check for copyright information. The presence of this information, helps consumer tooling to better consume this...
A component's metadata in an SBOM is probably more accurate if the generator tool has analyzed the files for the repo. We should consider using this metric for scoring. We...