-
Notifications
You must be signed in to change notification settings - Fork 400
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate both SPDX and CycloneDX SBOMs by default #661
Comments
I hit a similar problem in chainguard-dev/apko#149 |
What about making |
I think that's fine once we resolve the bigger issues with how we store things. |
This issue is stale because it has been open for 90 days with no |
@imjasonh This issue is closed as completed. But I can't find this feature in the main branch. What is the meaning of "completed" here? |
Sorry, that was my fault, I meant to close it as "not planned". |
@imjasonh Thank you for the reply. Does this mean that the project no longer wants to consider this proposal? Are there any particular reasons for it? |
I think in general we discovered there wasn't much user demand for the feature, even among our own usage. I wouldn't rule it out completely in the future, but emitting both flavors would need to be motivated by a use case, even moreso to make it the default behavior. If you have a use case we can discuss it. I think we'd start with an option to write both formats, and evaluate making it the default at a later time. |
Today the default is
--sbom=spdx
, we should probably have an--sbom=all
option and make that the default.all
kinda sounds like it includes thego-version.m
SBOM, and I'm not sure that makes sense since I don't think anybody uses that today. It was mostly there for testing IIRC. Maybe we should just remove that option entirely?The text was updated successfully, but these errors were encountered: