Improving enterprise adoption

[prabhu]

We would love to hear more about the challenges that prevented the adoption of cdxgen in your organization/team. Some points that came to our attention recently.

• The organization/team doesn't prefer node.js and its ecosystem
• cdxgen didn't integrate well with the build process (details missing)
• Results from cdxgen was different compared to an incumbent tool (details missing)
• cdxgen doesn't have enterprise support (yes, it does!)
• Organization prefers only spdx/openssf/ntia community tools (!)

Are there any other observations/comments that could help us improve?

[prabhu]

These questions posted on the Federal Acquisition Regulation are interesting.

https://www.federalregister.gov/documents/2023/10/03/2023-21328/federal-acquisition-regulation-cyber-threat-and-incident-reporting-and-information-sharing

Maybe a future version of tools could have a specific mode to generate compliant BoMs?

[setchy]

Our organization switched from a mismatch of tooling (cyclonedx-maven-plugin, syft, trivy, etc) to using cdxgen due to its breadth and consistency of supported languages / package managers, as well as it's streamlined integration to Dependency Track (helping to simplify a lot of manual steps in our CI process).