k8-sig's BOM #7170

dgutson · 2023-06-21T12:34:17Z

dgutson
Jun 21, 2023

Hi, I wanted to ask about the functionality relationship between ORT and https://github.com/kubernetes-sigs/bom:

can ORT benefit from it with some integration?
or, are they mutually exclusive by running at the same functional level?

Thanks.

Answered by sschuberth

Jun 21, 2023

Looks like the bom tool basically accepts two types of input: containers and directories / files. Only if the directory happens to contain a Go module, package-level dependencies are determined. I.e. bom completely lacks ORT's package-manager support. If the directory is not a Go module, its files are being listed as part of the SPDX BOM.

So bottom line, bom rather seems to complement ORT than offering the same functionality, and eventually bom could be used to implement #1833.

View full answer

sschuberth · 2023-06-21T14:12:47Z

sschuberth
Jun 21, 2023
Maintainer

Looks like the bom tool basically accepts two types of input: containers and directories / files. Only if the directory happens to contain a Go module, package-level dependencies are determined. I.e. bom completely lacks ORT's package-manager support. If the directory is not a Go module, its files are being listed as part of the SPDX BOM.

So bottom line, bom rather seems to complement ORT than offering the same functionality, and eventually bom could be used to implement #1833.

1 reply

dgutson Jun 21, 2023
Author

Thanks, you might want to update #1833 (comment) then.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

k8-sig's BOM #7170

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

k8-sig's BOM #7170

dgutson Jun 21, 2023

Replies: 1 comment · 1 reply

sschuberth Jun 21, 2023 Maintainer

dgutson Jun 21, 2023 Author

dgutson
Jun 21, 2023

Replies: 1 comment 1 reply

sschuberth
Jun 21, 2023
Maintainer

dgutson Jun 21, 2023
Author