Allow to list SBOMs created by the tools by package #12
Comments
|
Thanks for the feedback @sschuberth . Let us evaluate this and get back to you. |
|
Any update on the matter, @surendrapathak? |
|
Hey @sschuberth , Sorry I dropped the ball on this one and we are in the middle of some key releases. Let me get back to you in two weeks on this issue. Thanks for your patiences. |
|
Hi @sschuberth , to confirm, in your view, a user would
Let me know if I am missing anything. |
|
I believe that matches my view, yes. To compare apples to apples (as opposed to oranges), IMO it only makes sense to compare the quality of SBOMs for the same package (and ecosystem) across tools. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Mostly, an auto-generated SBOM can only be as good as the metadata provided the project / packages. As such it might be unfair to compare tools solely based on their SBOM quality scores as they're not necessarily being run on the same packages.
Describe the solution you'd like
For a given project / package, it should be possible to list all the SBOMs and their scores for the respective tools. That way one can quickly see which tool is providing the best SBOM for a given fixed input.
Describe alternatives you've considered
Another way to emphasize that a plain quality score based comparison might be unfair would be to clearly show for each tool which package managers / build systems / ecosystems it supports. Users might prefer a single slightly "worse" polyglot tool over multiple "better" specialized tools for usage simplicity.
Additional context
Looking at https://sbombenchmark.dev/, it currently seems like "som4python" would be the best overall tool, but as the name suggests it's for Python projects only, and from a user perspective it makes little sense to directly compare this to container-only tools like "Syft".
The text was updated successfully, but these errors were encountered: