certcc / sbom Goto Github PK

I would like to update the CVE database on local server.
When I used SwiftBOM on internet (https://sbom.democert.org/sbom/), I think that this database is latest.
I would like to know how to update CVE database.

Hi @sei-vsarvepalli,

I would like to know which versions of SPDX does the tooling support?

From Meeting on July 21, 2021 for NTIA Medical PoC working group:

There were a few items identified by the meeting participants about SwiftBOM that can improve the PoC experience

1. When CPE is chosen as the input - ensure CPE data is preserved in the generated SBOM in various formats
2. Improve SPDX output by adding JSON output of SPDX specification
3. Present CVE data in CSAF or OSV format as appropriate to be appended to the output formats.

CycloneDx v1.2 supports JSON output. Could you add CycloneDx-JSON as an output format?

Couldn't you automatically add the swid tags generated in the SWID file into CycloneDX with <swid></swid> ? This field could help for component vulnerability tracing.

Many build tools create CycloneDx SBOMs. Having import-CycloneDx button (similar to import-spdx and import-excel) would save me typing them into form or making fake SBoM and using hierarchy features.

The "Import Excel Template" option isn't importing information. It successfully prompts to select a file and provides the "Experimental!" warning, but information does not populate in the fields for the document or component information.

Some of the NOASSERTION fields need no longer need to be included.

https://spdx.github.io/spdx-spec/v2.3/

When I tried to import the NPM packages like Jasmine, I am getting the error like this:

Please guide me to how to solve this issue.

Hi @sei-vsarvepalli

I have understood how to work on this tool to Import SPDX, Excel, NPM and PIP packages. But I am not understanding how can I work on CycloneDX in this tool. Is it possible to import or any other way to add XML/JSON file into CycloneDX?

Please guide me.

Suggest that this repo enables the new discussion features and creates a Gitter so that post meeting conversations amongst the community can continue

Enclosed is a sample Excel that can be imported to build SBOM SPDX template.

SBOM_Component_Import.xlsx

The Health care PoC has a work in progress of managing multiple SPDX SBOM's that can eb cross reference using the SPDX
See
https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/

Section "7.1.4 Data Format" for referencing external SPDX documents using the format
["DocumentRef-"[idstring]":"]SPDXID ["DocumentRef-"[idstring]":"]SPDXID | NONE | NOASSERTION
where "DocumentRef-"[idstring]":" is an optional reference to an external SPDX document as described in section 2.6

From Ed Heierman (Abbot) with support from kstewart(at)linuxfoundation.org

Issue: Including a space character in the Primary Component Name breaks the Graph from displaying any Included components.

Note: Including a space character in an Included Component Name does not break the graph from displaying further Included components.

Hi @sei-vsarvepalli
I have tried to generate SBOM using the default example(ACME) on swiftbom and with the general npm package. I see the vulnerabilities list in CycloneDX XML format but I am unable to see it in CycloneDx json format.