You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The project is currently a polyglot SBoM generator tool. Once a SBoM gets generated there are various analysis that could be performed to enhance the accuracy and the richness of information to help the consumer tools and processes. These could be optional and configurable based on needs. Some of the analysis that could be considered are:
Completeness analysis - Generate the list of components imported and referred in the source code or binary (without looking at the package manifest) to identify the gaps (and to continuously improve the original generation).
Usage analysis - Identify the list of packages that are imported/used directly in the application or binary. This is currently done for JavaScript/TypeScript. This could be refactored and performed for more languages.
Data Flow analysis - Identify the methods and parameters of OSS packages that could be reached from external (from entrypoints)
There are some constraints/principles that could be enforced:
Privacy - The tool would never send the entire SBoM to an external service for such analysis. The only exception is Dependency Track which is an integration that is useful.
Non opinionated - cdxgen will not attempt to interpret the results from the analysis to say if a package/component is good or bad or risky etc. It would merely say what component and its modules/methods are used or reachable externally.
Server/Database - If the analysis requires a server or database components, these would also be made available as opensource following the same constraints/principles as above.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
The project is currently a polyglot SBoM generator tool. Once a SBoM gets generated there are various analysis that could be performed to enhance the accuracy and the richness of information to help the consumer tools and processes. These could be optional and configurable based on needs. Some of the analysis that could be considered are:
There are some constraints/principles that could be enforced:
Will add more notes to this discussion over time.
Beta Was this translation helpful? Give feedback.
All reactions