SBOM requirements
#1662
Replies: 1 comment 1 reply
-
|
LibTomCrypt is linked to pyarmor_runtime.so staticly, that is to say, it's embedded into pyarmor_runtime.so. So I think it's meaningless to collect LibTomCrypt version. |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Ok, let me work with Black Duck to understand why they are giving statically linked dependencies. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
We have to share Software Bill of Materials(SBOM) to our customers as part of our deliverables. We use Black Duck manifest to generate SBOM.
We are using pyarmor_runtime.so file as part of our binary and Black Duck is identifying traces of LibTomCrypt in it and reports it as a dependent component. However, it is unable to identify the version of the LibTomCrypt being used in pyarmor_runtime.so .
Is there any way to identify the version of this component used in each version of Pyarmor?
Do you also publish a SBOM with pyarmor releases?
For the time being, would you be able to let us know the LibTomCrypt version used in 8.4.x version of Pyarmor so that we can manually edit it in Black Duck? This will unblock us for the time being.
It would be great if you can provide a solution for this issue.
Beta Was this translation helpful? Give feedback.
All reactions