Replies: 1 comment 1 reply
-
|
@skylineJJ I have not tested cdxgen with Android source code. For very large projects, I would usually recommend someone working for a month or two to test, fix various bugs (including regression), and iterate, since no tool can work magically out of the box. It is possible that cdxgen has to be invoked for one module or folder at a time, with some merge/aggregation scripts operating at the end. Unfortunately, myself and my colleague do not have free time to help test with large projects, so you're on your own. The full list of project types is here: Line 5815 in 48b17f2 Please feel free to share a PR to update the docs with this list. |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
I'm trying to generate an SBOM with the google original Android project. The original Android compiling tool come along with Android 14 provides the option "m sbom" to generate an SBOM in SPDX foramt. But in order to use Dependency-Track as the SCA, an SBOM in CycloneDX format is needed, while the tool "cyclonedx-cli" doesn't work well to convert the format from SPDX to CycloneDX.
I tried to use cdxgen -t universal to generate the SBOM with the Android source code, but the content in the SBOM doesn't seem correct. Is this even possible for me to use cdxgen to scan the licenses and components with the Android OS source code?
In addition, I can't find a full list of acceptable options for the "-t" command option. Is there a full list anywhere?
Appreciate for the help in advance.
Beta Was this translation helpful? Give feedback.
All reactions