sbom
sbom copied to clipboard
voltone
Mix task to generate a Software Bill-of-Materials (SBoM) in CycloneDX format
This fixes the following compilation warning that leads to runtime errors: ``` warning: Mix.Dep.load_on_environment/1 is undefined or private │ 21 │ Mix.Dep.load_on_environment(env: environment) │ ~ │ └─ lib/sbom.ex:21:15: SBoM.components_for_project/1 ```
Hey guys, firstly, thanks for the work! I did some refactors and implemented a json encoder, I tested the results with [sbom-utility](https://github.com/CycloneDX/sbom-utility), and everything seems fine. This closes #3 ...
when feeding `bom.xml` into other SBOM tools, they complain the file fails cyclonedx checks. This is because its missing the primary component(component in the metadata) i.e ``` 2022-02-28T07:23:43.664Z CycloneDX Node.js...
Am looking at things from a little bit different perspective, where I want to look at a source repo and see if it has a valid bom.xml. Would this be...
The install instructions do indeed mention that you should add the library using `only: :dev, runtime: false`. However if you fail to add the dependency just like that you get...
Blocked by https://github.com/package-url/vers-spec/issues/49 Also we need to decide if this should be in here or PR'ed to Elixir itself.
**Proposed properties:** > [!IMPORTANT] > Let me know if what you think about them :) or if you want more or less than the proposed #### **Mix dependency metadata:** ```json...
**Purpose:** Grouping related components for better organization. **Proposed:** ```elixir defp determine_group(component) do case component.package_url.type do "otp" when is_erlang_stdlib(component.name) -> "erlang.otp" "github" when is_elixir_stdlib(component.name) -> "elixir.stdlib" _ -> nil end end...
**Definition:** The organization that published/released the package. **Proposed logic:** ```elixir defp determine_publisher(component) do case component.package_url.type do "hex" -> "Hex.pm" "github" -> "GitHub" "otp" -> "Erlang/OTP" _ -> nil end end...