SCS Artifact SBOM does not show OSS Risk field
pending feedback
C
Coquelicot Crane
After doing a SBOM orchestration and trivy scan, the portal UI shows the SBOM OSS Risk field, but when downloading the sbom, this field is not available, nor does there seem to be a GET api call for this.
Log In
P
Pranay Shah
marked this post as
pending feedback
P
Pranay Shah
Coquelicot Crane The OSS Risk data isn’t included in the downloaded SBOM because it doesn’t align with the standard SPDX or CycloneDX specifications. Including it would break compliance with these formats.
If you have an example of an SBOM that incorporates OSS risk data while still conforming to SPDX or CycloneDX, could you please share it? That would help us evaluate possible approaches.
Also on the GET api, do you plan to input the component name and view the OSS risk for that component alone? If that's the ask we can look into this possibility.