Standalone Executables not listed in SBOM #3511
Comments
I think what you're saying is that We do make exceptions via the binary package cataloger for common/well-known binaries (e.g. python interpreter, ruby interpreter, nginx etc), but have not exposed this as configurable to detect any possible binaries. Do you have an idea in mind about how these should appear in the SBOM as a package (which I think if your ask here) assuming that name and version are required elements for a package? |
|
Thank you for the fast reply, I think that I have found the issue. I was only creating SBOMs in cyclonedx json format, where they do not appear, however in spdx json they do. Are there plans in adding these files to cyclonedx json as well or will they be only listed in spdx json? |
|
@patrickSeal we're trying to get CDX updated for the next version so show files as components so package and file types are included in that format for the same list: |
What would you like to be added: Standalone Executables to appear in the SBOM generated from a file system
Why is this needed: See below
Additional context:
I don't know if this is already a feature, but because I couldn't find a configuration option, I wanted to ask this here.
Recently I was using Syft to generate SBOMs in CycloneDX format from file systems, particularly root file systems from common
linux distributions. Syft is great as far as files go that are installed through the package manager (apt, ...), however I was wondering
if Syft could also list my custom standalone binaries (compiled without source code) in the generated SBOM, as my personal benchmarks show that they are detected by Syft as "Executables", however are not noted in the SBOM?
The text was updated successfully, but these errors were encountered: