SPDX SBOM generation #11780
Replies: 3 comments 3 replies
-
I think "half way there" is probably accurate. Renovate currently doesn't care enough about transitive dependencies - because it only cares about things it can update. It may not fit well into the CLI approach either, but it's something I'd consider adding as an export from the app dashboard. |
Beta Was this translation helpful? Give feedback.
-
+1 - would really love to be able to generate SPDX SBOMs from my |
Beta Was this translation helpful? Give feedback.
-
FYI I've built a tool for this (more info) that takes ie Renovate's debug logs and will then produce an SBOM - as above it'll only depend on the data that Renovate exposes, but can be a good start |
Beta Was this translation helpful? Give feedback.
-
With the announcement that SPDX is now an ISO standard (https://spdx.dev/spdx-specification-is-now-an-iso-standard/), would the remit of renovatebot extend to generating an SPDX SBOM? Feels like it might be 'half way there' already because it knows about the dependencies?
Beta Was this translation helpful? Give feedback.
All reactions