Skip to content

Add evidence to sbom report #788

Description

@ben-edna

The OWASP CycloneDX-Authoritative Guide to SBOM mentions evidence should be provided. (starting from CycloneDX 1.5)

Dfetch determines 2 fields, so should provide evidence:

  • For the purl field this should be of type manifest-analysis and tools can be added and a confidence somewhere between 0.4-0.6.
  • For the license field the result infer_license.api.guess_file(license_file) could be used
Image

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions