Friends and folks working with #SBOMs - how do you conceptually think about them in terms of ingesting them into tools?

I.e. I like to think of an SBOM having a source repository or component it relates to, but sometimes you don't know that up front, and all you have is the result of a scan, which could be the source repo, a container image, or a built binary.

Considering whether:

  • I try to guess what repo/component it is based on the filename
  • Just store the filename in the database and allow querying with that (and leave repo info optional)
  • Retrieve metadata from the SBOM that known tools use to define this
  • Some 4th option?

Trying to tweak how Dependency Management Data works with SBOMs and trying to find how other folks do it and consider them

by Jamie Tanna's profile image Jamie Tanna . #sboms.

Also on:

This post was filed under notes.

Interactions with this post

Interactions with this post

Below you can find the interactions that this page has had using WebMention.

Have you written a response to this post? Let me know the URL:

Do you not have a website set up with WebMention capabilities? You can use Comment Parade.