add support for CycloneDX output of dependencies #21911
Replies: 3 comments 1 reply
-
Per our conversation with @rarkins today, transitive dependencies are missing for that. |
Beta Was this translation helpful? Give feedback.
-
Renovate today tends to "not care about" transitive dependencies because it cares only about dependencies it can/should update. Possibly in the future this might need to change |
Beta Was this translation helpful? Give feedback.
-
FYI I've built a tool for this (more info) that takes ie Renovate's debug logs and will then produce an SBOM - as above it'll only depend on the data that Renovate exposes, but can be a good start |
Beta Was this translation helpful? Give feedback.
-
Type of discussion.
I'm proposing an idea
Tell us more.
Renovate is excellent at extracting all kind of dependencies, as can be seen in the "Dependency Dashboard' (for example INRIA/spoon#4143)
Those dependencies form a complete software bill of material.
To a certain extent, Renovate is better at this than Github's SBOM or Google SBOM deps.dev
The only limitation is that there is no interoperable format.
It would be great to output the Renovate dependencies using the CycloneDX file format cyclonedx.org/specification/overview
Beta Was this translation helpful? Give feedback.
All reactions