Friends and folks working with #SBOMs - how do you conceptually think about them in terms of ingesting them into tools?

I.e. I like to think of an SBOM having a source repository or component it relates to, but sometimes you don't know that up front, and all you have is the result of a scan, which could be the source repo, a container image, or a built binary.

Considering whether:

  • I try to guess what repo/component it is based on the filename
  • Just store the filename in the database and allow querying with that (and leave repo info optional)
  • Retrieve metadata from the SBOM that known tools use to define this
  • Some 4th option?

Trying to tweak how Dependency Management Data works with SBOMs and trying to find how other folks do it and consider them

Also on:

This post was filed under notes.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.