Replies: 1 comment 3 replies
-
|
I can't see examples of the SBOMs which are being generated. It would be good to see what 'good' looks like. I also note that there is a template 'SBOM'. It has defined the CycloneDX lifecycle as Build. I though the purpose of this activity was to produce 'Source' SBOMs? If multiple types of SBOMs are being produced (and why not?), I think it would be good to have these as separate examples to show that it is clear what additional information gets added at each stage of the SBOM lifecycle. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @anthonyharrison! I added the following links to the top comment on discussion. KeycloakPython App and Container |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @idunbarh . Lots of data to play with... Can already see inconsistencies between the two formats. I suppose what is missing is what the 'ground' truth is so we can then determine which one is right (if at all). I think it would also be useful to include the raw SBOMs (before the enrichment phase) so that a comparison can be made against the enriched version. Many organisations are just relying on a tool generated SBOM without enrichment. |
Beta Was this translation helpful? Give feedback.
-
|
@anthonyharrison As was mentioned in yesterday's SBOM meeting, all steps are included in the final artifacts. Thus it's possible to diff each phase as @tiegz illustrated. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Discussion to collect feedback on the phase 1 from the greater CISA SBOM Community.
Keycloak
Python App and Container
Beta Was this translation helpful? Give feedback.
All reactions