Steve Springett
Steve Springett
The scope of some dependencies should be changed (i.e. unit tests) and the library could be published to Maven Central so that other projects could easily incorporate it.
Extend functionality implemented in #83 to support BOM (CycloneDX, SPDX, spec versions, signed/unsigned, etc) in policy conditions.
### Current Behavior Some commercial software vendors provide advisory information in CSAF 2.0 format. These include RedHat and Oracle, among others. There isn't currently a good way to identify vulnerabilities...
It is desirable to specify that a component, service, assembly, or dependency has been redacted. This is a use case currently being discussed at CISA.
A proposal has been suggested that the CycloneDX specification add native support for the [SCVS BOM Maturity Model](https://scvs.owasp.org/bom-maturity-model/) to the schema itself. This may likely be a JSON-only enhancement, but...
Containers are part of a software supply chain. Because of that, I see some overlap in some of the areas of concern outlined in [Component Analysis](https://www.owasp.org/index.php/Component_Analysis). There's also an incubating...
If this is an OWASP project, the adoption of it would likely benefit tremendously if it were rebranded with OWASP logo, etc. Similar to ASVS, M-ASVS, and SCVS. I am...
The European [Cyber Resilience Act (CRA)](https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act) makes clear that open source projects that have regular contributions from commercial entities are subject to the same requirements as a commercial entity. As...
SPDX Tools was removed from Java Core v3.0.0 due to introducing a lot of unnecessary dependencies and requiring Internet access by default (could be disabled via system property: SPDXParser.OnlyUseLocalLicenses). Since...
Add support for Blake3 to BomUtils. Requires commons-codec 1.16 (not currently released)