Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SwiftBom tool #14

Closed
Nikhil1819 opened this issue Nov 9, 2021 · 1 comment
Closed

SwiftBom tool #14

Nikhil1819 opened this issue Nov 9, 2021 · 1 comment
Assignees
@sei-vsarvepalli

Comments

@Nikhil1819
Copy link

Hi @sei-vsarvepalli
I have tried to generate SBOM using the default example(ACME) on swiftbom and with the general npm package. I see the vulnerabilities list in CycloneDX XML format but I am unable to see it in CycloneDx json format.
@sei-vsarvepalli sei-vsarvepalli self-assigned this Nov 9, 2021
@sei-vsarvepalli
Copy link
Contributor

Hello @Nikhil1819

This is a known limitation of CycloneDX JSON format. You can check out.
https://cyclonedx.org/use-cases/#vulnerability-disclosure

In JSON the option is to refer to a CPE, SWID tag that can be used to lookup (externally) the CVE that is considered "Known Vulnerability." In the other "Vulnerability Remediation" use case, you can use the package pedigree validation to announce and absorb a patch.

You can check out the all the use cases in CycloneDX site that will guide you about CycloneDX usage

https://cyclonedx.org/use-cases/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sei-vsarvepalli sei-vsarvepalli

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sei-vsarvepalli @Nikhil1819