GitHub Community
Replies: 3 comments 5 replies
-
|
Thank you for your feedback. This seems like it would be more inline with security tools and code scanning rather than Actions. At the moment there does not seem to be a category for them in the feedback repo so for now please move this to the General category. |
Beta Was this translation helpful? Give feedback.
-
|
Done |
Beta Was this translation helpful? Give feedback.
-
|
@hauleth We have an upcoming feature called the Dependencies API. This will enable the scenario that you've described, although it will not require the use of either CycloneDX or SPDX SBOM formats since adoption on those is still not yet widespread. |
Beta Was this translation helpful? Give feedback.
-
|
@jhutchings1 any chance I can get in on the private beta? I'd like to check it out, maybe write a converter from CycloneDX to whatever the API needs. |
Beta Was this translation helpful? Give feedback.
-
|
@jhutchings1 so just to clarify - you will use custom format for that API, because 2 already existing ones do not have enough popularity? Maybe it would be easier to support both of existing formats (or at least any of them) to boost their popularity. |
Beta Was this translation helpful? Give feedback.
-
|
@coderpatros 👋 quite a long delay, but we can get you added! I'll send an email with some details. |
Beta Was this translation helpful? Give feedback.
-
|
It would also be useful to be able to generate a SPDX BOM based on the dependency graph data that GitHub generates. Then we could integrate other tools such as DependencyTrack and consume the SPDX data for each repo, without needing to change build processes. |
Beta Was this translation helpful? Give feedback.
-
|
FWIW, DependencyTrack only supports CycloneDX these days: DependencyTrack/dependency-track#1222 The current SPDX BOM export provided by GitHub on the dependency graph page is great to have, but CycloneDX support (as an option) would broaden it's usefulness. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
CycloneDX is simple SBoM format that is created by OWASP for tracking the dependencies in language-agnostic way. Supporting such format in dependency tracking would allow that feature to be extended by the community to the new languages without involving GitHub stuff.
It could be handled in similar format to the SARIF reports where you generate CycloneDX report and then have official action that would upload and parse it on the GitHub side.
Beta Was this translation helpful? Give feedback.
All reactions