Skip to content

Latest commit

 

History

History
49 lines (46 loc) · 2.91 KB

all-producers.md

File metadata and controls

49 lines (46 loc) · 2.91 KB

Selected for study

Producer Version
Build Info Go 1.9.3
CycloneDX Generator 8.4.3
CycloneDX Maven Plugin 2.7.8
jbom 1.2.1
OpenRewrite 4.45.0
Depscan 4.1.2

Not selected for study

URL Reason
https://learn.castsoftware.com/highlight proprietary
https://github.com/CycloneDX/cyclonedx-cli SBOM transformation tool
https://www.eclipse.org/antenna archived
https://fossa.com/ proprietary
https://gitlab.com/gitlab-org/security-products/analyzers/gemnasium proprietary
https://meterian.io/products/boss proprietary
https://github.com/SAP/jenkins-library designed for SAP projects
https://spack.io/ package manager
https://github.com/veracode/srcclr_sbom_gen proprietary
https://github.com/coinbase/salus only reports vulnerabilities
https://securestack.com/ proprietary
https://aquasecurity.github.io/trivy/v0.36/ cannot scan Java projects
https://github.com/javixeneize/zasca threw exceptions on many of our projects
https://github.com/whitesource-ps/ws-sbom-generator proprietary
https://scribesecurity.com/scribe-platform-lp/ proprietary
https://jfrog.com/xray/ proprietary
https://github.com/org-metaeffekt/metaeffekt-documentation-template not documented how to use it
https://github.com/Labs64/swid-maven-plugin swid
https://github.com/usnistgov/swid-tools swid
https://www.npmjs.com/package/renovate custom format
https://qmstr.org/documentation/introduction/installation/ too many components. client and server communication
https://slsa.dev/verification_summary/v0.1 only files, and no dependencies
https://github.com/oss-review-toolkit/ort custom format
https://github.com/spdx/tools-java/blob/master/README.md generated a verification code, but no SBOM
https://github.com/anchore/grype Java projects are not supported
https://www.scanoss.co.uk/ custom format
https://github.com/opensbom-generator/spdx-sbom-generator SPDX (future work)
https://github.com/microsoft/sbom-tool SPDX (future work)
https://github.com/spdx/spdx-maven-plugin SPDX (future work)
https://github.blog/2023-03-28-introducing-self-service-sboms/ SPDX (future work)
https://lift.sonatype.com/ online tool
https://github.com/anchore/syft not supported for maven
https://github.com/snyk/snyk-maven-plugin online tool
https://github.com/nexB/scancode-toolkit does not detect transitive dependencies nexB/scancode-toolkit@3383