-
Notifications
You must be signed in to change notification settings - Fork 28
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
package_info should have a field for the vendor sbom #96
Comments
Has there been any thought given to a design here? Should it be part of package_info, or a new rule? I was thinking of a new package_sbom rule for example, and it could take sbom filename(s), and perhaps an optional format specifier (for example, the various syft output formats perhaps?). These could then be used like package_info, in that they are applied to a set of targets via either package rule's default_applicable_licenses, or through an explicit entry in a target's applicable_license attribute. This could then be gathered when traversing the targets and then somehow (tbd) integrated into the final output. If that final output is spdx, then perhaps an spdx input would be an externalRefs. Or perhaps it could be integrated directly into the final output as an option. |
Some packages include an SBOM produced by publisher.
We should be able to represent that in package_info
The text was updated successfully, but these errors were encountered: