Can BOM files be hybrid #338
Answered
by
stevespringett
omerfinger
asked this question in
Q&A
-
|
Hi, is it common to create a BOM file that contains both components (SBOM) and vulnerabilities (VEX) sections? |
Beta Was this translation helpful? Give feedback.
Answered by
stevespringett
Nov 13, 2023
Replies: 1 comment
-
|
It is common to have a BOM that contains vulnerability information (VDR) as many security tools, especially SCA, produce such output. See https://cyclonedx.org/capabilities/vdr/ Optionally the analysis section can be done as well, but is much less prevalent. See https://cyclonedx.org/capabilities/vex/ |
Beta Was this translation helpful? Give feedback.
0 replies
Answer selected by
jkowalleck
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It is common to have a BOM that contains vulnerability information (VDR) as many security tools, especially SCA, produce such output. See https://cyclonedx.org/capabilities/vdr/
Optionally the analysis section can be done as well, but is much less prevalent. See https://cyclonedx.org/capabilities/vex/