Investigate potential to use Microsoft's open source SBOM tool
Investigate the potential to use the Microsoft SBOM tool to generate SBOMs for Eclipse content.
Based on claims in the tool's documentation, there's some overlap with ORT (in that it purports to dig into build files to identify dependencies). AFAICT, it doesn't scan content for license or copyright information.
I've done some initial investigation with version 0.1.3 of the tool. It generates an SBOM, but with some deficiencies.
- No licenses captured;
- No copyrights captured;
- Includes content from
.git
directory and from ephemeral build artifact directories (e.g.,node_modules
,target
) (see Issue 63); - Apparently misses Maven
pom.xml
files (see Issue 64);
It does appear to do a good job of capturing content from NPM package-lock.json
and yarn.lock
. I haven't investigated how deeply it interrogates the dependency tree (i.e., does it deal with transitive dependencies?)