info? compare and contrast this project viz a viz anchore/syft
rchincha opened this issue · comments
Trying to understand what the core differences are wrt https://github.com/anchore/syft
For example, is this project specific to k8s only!
Also, would you consider accepting PRs to make these values as cmdline params:
https://github.com/kubernetes-sigs/bom/blob/main/pkg/spdx/document.go#L175
since the creator could be org-specific.
Hello, @rchincha. Thanks for the issue and the question. I will try to answer
This project started around the same timeframe as the other, and we built that to integrate, in the first place, with the k8s release process, but after that, for any kind of GO project (for now, it focuses on GO applications) and it uses the guidelines defines by the SPDX working group.
But this is not only for K8s projects. You can use it in your project.
And you can open a PR I will be happy to review that.
Hope that clarifies your question
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
- After 90d of inactivity,
lifecycle/stale
is applied - After 30d of inactivity since
lifecycle/stale
was applied,lifecycle/rotten
is applied - After 30d of inactivity since
lifecycle/rotten
was applied, the issue is closed
You can:
- Mark this issue as fresh with
/remove-lifecycle stale
- Close this issue with
/close
- Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale