mirror of
https://github.com/anchore/grype
synced 2024-11-14 00:07:08 +00:00
a62a3a413e
grype currently produces CYCLONE-DX SBOM that are not compliant with the cyclone-dx tooling libraries. Rather than write the logic in two places, this PR moves grype to use syft's formatting functions as a library to produce valid CYCLONE-DX SBOM components along with the discovered vulnerabilities. For more context on impacted issues: https://github.com/anchore/grype/issues/796 https://github.com/anchore/grype/issues/951 |
||
---|---|---|
.. | ||
.gitignore | ||
cyclonedx.json | ||
cyclonedx.xsd | ||
Makefile | ||
README.md | ||
spdx.xsd |
CycloneDX Schemas
grype
generates a CycloneDX output. This validation is similar to what is done in syft
, validating output against CycloneDX schemas.
Validation is done with xmllint
, which requires a copy of all schemas because it can't work with HTTP references. The schemas are modified to reference local copies of dependent schemas.