Replies: 1 comment 3 replies
-
|
I can't see examples of the SBOMs which are being generated. It would be good to see what 'good' looks like. I also note that there is a template 'SBOM'. It has defined the CycloneDX lifecycle as Build. I though the purpose of this activity was to produce 'Source' SBOMs? If multiple types of SBOMs are being produced (and why not?), I think it would be good to have these as separate examples to show that it is clear what additional information gets added at each stage of the SBOM lifecycle. |
Beta Was this translation helpful? Give feedback.
-
|
Hi @anthonyharrison! I added the following links to the top comment on discussion. KeycloakPython App and Container |
Beta Was this translation helpful? Give feedback.
-
|
Thanks @idunbarh . Lots of data to play with... Can already see inconsistencies between the two formats. I suppose what is missing is what the 'ground' truth is so we can then determine which one is right (if at all). I think it would also be useful to include the raw SBOMs (before the enrichment phase) so that a comparison can be made against the enriched version. Many organisations are just relying on a tool generated SBOM without enrichment. |
Beta Was this translation helpful? Give feedback.
-
|
@anthonyharrison As was mentioned in yesterday's SBOM meeting, all steps are included in the final artifacts. Thus it's possible to diff each phase as @tiegz illustrated. |
Beta Was this translation helpful? Give feedback.
-
Discussion to collect feedback on the phase 1 from the greater CISA SBOM Community.
Keycloak
Python App and Container
Beta Was this translation helpful? Give feedback.
All reactions