Alex Goodman
Alex Goodman
**What would you like to be added**: ELF security feature detection is being added in https://github.com/anchore/syft/pull/2443 . What was carved off of this work was being able to detect [selfrando](https://github.com/runsafesecurity/selfrando/blob/master/docs/linux-build-instructions.md)...
This topic has come up in a few different places, in the community meeting and in conversations with @nurmi and @westonsteimel ... so I wanted to capture some of those...
SPDX has the concept of relationships that can be applied to packages, files, or other artifacts. This issue aims to explore what existing metadata can be expressed via SPDX relationships...
It would be ideal if the output SBOM of syft included a description of what is in scope and out of scope as clearly as possible. This includes (but not...
Completing https://github.com/anchore/syft/issues/213 adds support for generating SPDX documents, however, there are several opportunities to expand upon what can be expressed in an SPDX document. For instance, we have a file...
My interpretation of the `fail-on-cache-miss` feature on the `actions/cache` and `actions/cache/restore` actions is that the workflow should stop and be considered a fail if there is no cache found with...
This PR tries to follow some of the ebuild license variable hints found from [GLEP-23](https://www.gentoo.org/glep/glep-0023.html#id9). License processing for portage has been broken out into a separate function and captured tests....
We've adjusted the java cataloger to prefer adding warnings over stopping execution mid-cataloging in order to maximize the number of artifacts found (https://github.com/anchore/syft/pull/348), we should continue this trend and take...
Today CycloneDX allows for arbitrary properties on package components, which we've leveraged in order to map non-compliant fields into the CycloneDX SBOM without going against the CycloneDX spec (see [here](https://github.com/anchore/syft/blob/3aae316456e01af3ff651b4a03fef9899c1ba2f9/syft/formats/common/property_encoder.go#L1))....
It would be ideal to have a `sha1` to `groupID, artifactID` for jars that do not have `pom.xml` and are hosted on maven. This would help with the following issues:...