Consider dependency graphing tooling that can produce standardized output for downstream tools #21
Comments
|
(credit Aeva for noting this project) For convenience, here is a copy of its goals/claims: GitBOM is a minimalistic scheme for build tools to:
GitBOM is designed to:
|
|
Such graphing tools as GitBom (and others for different SBOM types) will be essential for constructing the most accurate inventory and data around components (resources) that go into an SBOM for downstream consumption (e.g., scanning, validation, analysis, etc.) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
One of the missing "tool types" (in existing SBOM tooling classification efforts) is dependency graphing tools.
These are tools which can create an independent dependency graph (across artifact types, language/package deps., base images, etc.) of components/resources that represent the hardware, software and services for an accurate inventory for an SBOM.
Today, most SBOM creation/generation tools tend to create their own proprietary graphs based upon domains-specific assumptions. In terms of language-specific SBOM tools, they are often coded to only a partial graph for files (package lists) they look for and can interpret. Effectively, we need a graphing tool that can be used for traversal for any language as almost all applications (and products) are composed of a plurality of languages.
The text was updated successfully, but these errors were encountered: