Set additional properties when generating sbom for nugets #842
Comments
This bases on the assumption that packages are named by a certain convention/best practice that is not enforced. I don't think that this applies to all packages.
Sounds not unreasonable. Interestingly though, on the NuGet website you usually see an owner e.g. here, but in the .nuspec-file I didn't see a filled owner node yet. |
mtsfoni
added
enhancement
Signed-off-by: James Thompson <[email protected]>
|
@mtsfoni i have just pushed a draft PR #846 which shows the publisher being set. In relation to the Group you are correct it is not enforced but recently nuget has started using verified prefixes to help improve security by providing visual indicator that packages are coming from a reputable source and who they claim to be. |
Signed-off-by: James Thompson <[email protected]>
Signed-off-by: James Thompson <[email protected]>
|
This issue is stale because it has been open for 3 months with no activity. |
When generating a SBOM the below properties should be set to provide a richer experience & better information.
supplier the url/name of the repository used to source package. This would need to come from package source mapping.will be handled via Utilize package mapping to source additional information #845The text was updated successfully, but these errors were encountered: