Replies: 2 comments 1 reply
-
|
You can -t python,-t js etc. The resulting bom file would always have a property to identify the source file |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
I assume when one uses -t universal or -r this wouldn't happen? |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
for anyone else wondering about this, there is the --evidence true flag or the scan profile research that also provides evidence. |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
In a repository with multiple ecosystems like a requirements.txt, a package.json and a Dockerfile, can one instruct cdxgen to specify which ecosystem the package belongs to or where it found the package in question? Especially in mono repos, that can potentially host a multitude of Dockerfiles, it would save a lot of time to be able to pinpoint where the dependency was defined. Such as certifi 1.2.3. came from componentA/requirements.txt and certifi 2.3.4 came from randomTool/requirements.txt
Beta Was this translation helpful? Give feedback.
All reactions