Ritesh Noronha
Ritesh Noronha
Add support to score SBOM generated in SWID format > SWID tags can be used as an SBOM, since they provide identifying information for a software > component, a listing...
As of today, sbomgr uses all available cpu's for searching. You can limit it via export GOMAXPROCS=1. Ideal case would be to have a flag to control the number of...
When searching packages, if the package is the primary component, we should indicate it as such. ```sh ➜ sbomqs git:(refactor/scoring) ✗ sbomgr packages -O 'depth,pkgn,pkgv' samples/sbomqs.syft-cyclone.json ../sbomqs 1 github.com/CycloneDX/cyclonedx-go v0.7.0...
A common ask is to search only direct dependencies. i.e packages directly attached to the primary package. This should be supported by a flag called '--direct-dep'
Sbomqs is currently not validating the sbom against the official schema for cyclonedx or spdx. This validation should be added to give a better picture of the sbom. reference: https://github.com/DependencyTrack/dependency-track/issues/3759
Cyclonedx 1.6 has been out for a couple of months, i believe the cyclonedx-go package now supports it, lets integrate and test it out, and make the necessary changes.
Issue to add NTIA minimum elements compliance reports.
https://www.imdrf.org/documents/principles-and-practices-software-bill-materials-medical-device-cybersecurity https://www.fda.gov/medical-devices/digital-health-center-excellence/cybersecurity https://www.fda.gov/regulatory-information/search-fda-guidance-documents/cybersecurity-medical-devices-quality-system-considerations-and-content-premarket-submissions
We need to add support for SPDX 3.0 scoring. Lets try and understand what this means.
https://www.pcisecuritystandards.org/document_library/ To support Control Objective C.1: Web Software Components & Services