Sambhav Kothari

+1 This would be really useful for cyclonedx support in syft as well. syft currently stores the file "evidence" in its internal model. If we could add this in cyclonedx,...

Training sets, data/model licenses, relevant metrics, external references to the training sets, related artifacts, model cards etc and a way to specify relationships to the software components involved in the...

cc: @nishakm maybe you can help?

Dependent upon implementation of decoders for all the SBOM formats the syft supports. CycloneDX -> #811 SPDX -> #738

@wagoodman - sadly it looks like this information is not available. cc: @pradyunsg if you have any more details.

@pradyunsg that might be tricky though right? pip might have installed it from one of the extra index urls or via find-links, some of which may also be project specific...

Created https://github.com/pypa/pip/issues/10736

Related https://github.com/anchore/syft/issues/737 We should catalog sboms using known file extensions. Currently each format that syft supports has a registered file name/extension. spdx - *.spdx.json, *.spdx.xml, *.spdx CycloneDX - *.cdx.json, *.cdx.xml...

A larger question re:design is that we have now introduced a dependency on our internal formatting library on the cataloger. The way that syft is currently structured, we have kept...

See https://github.com/asdf-vm/asdf-plugins for the full list of binaries supported by asdf.