Tom Fay

Those linked issues are interesting, thanks. #439 overlaps in particular points desire to standardize the attachment of an SPDX document to a "package" (in that case a directory). I don't...

> a build system that outputted a binary and an SBOM for said binary and placed both in the image that syft will scan; in such a scenario it might...

> Currently syft is able to provide details as to 'why' it included a specific component in the output. One of the blockers to implementing https://github.com/anchore/syft/issues/737 has been figuring out...

> The current implementation would make some incorrect assertions around having discovered the package on disk when actually it was discovered only as part of a declared SBOM that was...

> Another issue I see here is making sure that the list of packages returned by the found SBOM are deduplicated or in some way updated to say that they...

Hi @patrikbeno I've added an integration test and made the sbom-cataloger off by default at, https://github.com/tofay/syft/commit/a36650fcb4b7765aa9d1e9b1513e6470f3f0728d - can you bring those changes into this PR? Hi @tgerla. I can't make...

Dumping my notes on formats and SPDX here. ------------- Suggested requirements for data format. 1. Needs to be able to convey Rust crate runtime and build dependencies. 2. Needs to...

Re "does anyone actually use these format", both trivy and grype (the vulnerability scanning tool that works with/uses syft) are capable of reading SBOMs in multiple formats, e.g SPDX/cyclonedx. If...

@JamieMagee before I rebase this, is this a change that you'd accept? My team is currently working around this by discovering source packages where binary name != source name and...

For crates with a gitlab/github repo, crates.io could surface information from OpenSSF's https://securityscorecards.dev/ initiative. This creates a score and report from the result of many language-agnostic security checks.