Hi Vishal,
Most probably the difference comes from transitive dependencies pulled
in during the build. Your pom.xml doesn't include those.
nisha
On 8/5/24 09:08, Vishal Goyal via lists.spdx.org wrote:
All,
I am looking for some help and guidance from experts on how to
validate build SBOMs and check for any false positives.
I have used this maven plugin to generate SPDX format build SBOM for
an open source Java project (https://github.com/wmichalska/CreditManager)
github.com/spdx/spdx-maven-plugin
<https://github.com/spdx/spdx-maven-plugin>
The build SBOM has around 120 lines. For the same codebase, i
generated SBOM by doing source code scan - this has 10 lines.
Can someone please advise how to validate the build SBOM ?
Thanks,
Vishal.
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5694): https://lists.spdx.org/g/Spdx-tech/message/5694
Mute This Topic: https://lists.spdx.org/mt/107734884/21656
Mute #spdx:https://lists.spdx.org/g/Spdx-tech/mutehashtag/spdx
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
