Replies: 2 comments 1 reply
-
|
You can -t python,-t js etc. The resulting bom file would always have a property to identify the source file |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
I assume when one uses -t universal or -r this wouldn't happen? |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
for anyone else wondering about this, there is the --evidence true flag or the scan profile research that also provides evidence. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
In a repository with multiple ecosystems like a requirements.txt, a package.json and a Dockerfile, can one instruct cdxgen to specify which ecosystem the package belongs to or where it found the package in question? Especially in mono repos, that can potentially host a multitude of Dockerfiles, it would save a lot of time to be able to pinpoint where the dependency was defined. Such as certifi 1.2.3. came from componentA/requirements.txt and certifi 2.3.4 came from randomTool/requirements.txt
Beta Was this translation helpful? Give feedback.
All reactions