Closed
Description
Right now, we've got a whole lot of SBOM related options in the cve-bin-tool manual and some sorter getting started stuff in the Readme, but it would be really nice to have a whole guide dedicated to SBOM scanning.
Some thoughts about what to include:
- How to use the various options with examples
- What to expect / not expect from an SBOM scan
- How to improve lookups: e.g. currently we're searching for case insensitive exact names, so if your sbom has a weird name or prefixes the product name somehow it may not work. (See also bug: libraries ignored by cve-bin-tool ? #2846 for a recent case of it not working as expected)
- recommendation of tools for generating sboms?
Also, if you're in to videos a lot of people ask for those as part of our documentation but we currently don't provide them other than our conference talks, so this might be an option too.
This issue is reserved for a participant in the Open Source Hackaton 2023. Please leave it for hackathon participants through the end of April. If it hasn't been claimed by May 5 it will be open to any contributor who wants to work on it.