Skip to content

adding SecureSBOM to tools.json#69

Open
VinnyBarton wants to merge 6 commits intoCycloneDX:mainfrom
shiftleftcyber:feature/addSecureSBOMToToolCenter
Open

adding SecureSBOM to tools.json#69
VinnyBarton wants to merge 6 commits intoCycloneDX:mainfrom
shiftleftcyber:feature/addSecureSBOMToToolCenter

Conversation

@VinnyBarton
Copy link

@VinnyBarton VinnyBarton commented Sep 9, 2025

No description provided.

@VinnyBarton VinnyBarton requested a review from a team as a code owner September 9, 2025 10:26
jkowalleck
jkowalleck reviewed Sep 9, 2025
View reviewed changes
tools.json Outdated
],
"functions": [
"ANALYSIS",
"PACKAGE_MANAGER_INTEGRATION",
Copy link
Member

@jkowalleck jkowalleck Sep 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

package manager integration?
could you elaborate on this feature?

Copy link
Author

@VinnyBarton VinnyBarton Sep 9, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for reviewing @jkowalleck

SecureSBOM has a standalone GitHub Action: https://github.com/shiftleftcyber/secure-sbom-action. In addition we are also close to releasing a standalone SDK that can easily be integrated into various build systems (ie: Jenkins, Bitbucket...). Since "build system" is mentioned in the description of PACKAGE_MANGER_INTEGRATION, I included it in the array.

"PACKAGE_MANAGER_INTEGRATION": "Tools that integrate with build systems and package managers.",

If I am mistaken I would be happy to remove.

@jkowalleck
Copy link
Member

jkowalleck commented Sep 9, 2025

this PR has conflicts

VinnyBarton and others added 2 commits September 16, 2025 06:43
@VinnyBarton
adding SecureSBOM to tools.json
d8bcf6a 
Signed-off-by: Vinny Barton <vbarton@shiftleftcyber.io>
@ahmadnassri @VinnyBarton
feat: add socket.dev
5074e11 
Signed-off-by: Ahmad Nassri <ahmad@socket.dev>
@VinnyBarton VinnyBarton force-pushed the feature/addSecureSBOMToToolCenter branch from f0c2ab5 to 5074e11 Compare September 16, 2025 10:44
@jkowalleck
Copy link
Member

jkowalleck commented Sep 24, 2025

we've changed how the tools.json is managed.
since now, each tool has its own json file in https://github.com/CycloneDX/tool-center/tree/main/tools
please revert your changes to tools.json, and add a dedicated fiele in the tools folder.

@jkowalleck jkowalleck marked this pull request as draft September 25, 2025 16:18
@jkowalleck jkowalleck self-requested a review September 30, 2025 14:09
@jkowalleck jkowalleck marked this pull request as ready for review September 30, 2025 14:09
@jkowalleck jkowalleck marked this pull request as draft October 31, 2025 08:01
jkowalleck
jkowalleck reviewed Oct 31, 2025
View reviewed changes
tools/securesbom.json
],
"functions": [
"ANALYSIS",
"PACKAGE_MANAGER_INTEGRATION",
Copy link
Member

@jkowalleck jkowalleck Oct 31, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

remove, as discussed here: #69 (comment)

Suggested change
"PACKAGE_MANAGER_INTEGRATION",

@jkowalleck jkowalleck marked this pull request as ready for review October 31, 2025 08:05
@jkowalleck jkowalleck requested a review from Copilot January 5, 2026 13:22
Copilot AI reviewed Jan 5, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request adds a new tool configuration file for SecureSBOM, an enterprise-grade API providing cryptographic signing and verification capabilities for SBOMs, to the CycloneDX tool center.

Key changes:

  • Adds SecureSBOM tool metadata including capabilities, availability, functions, and supported standards
  • Declares support for SBOM and VDR/VEX capabilities with FREEMIUM and SUBSCRIPTION availability models
  • Specifies support for multiple platforms (Linux, Mac, Windows) and packaging formats (CLI, GitHub Action, Library)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

tools/securesbom.json Outdated
"PACKAGE_MANAGER_INTEGRATION",
"SIGNING/NOTARY"
],
"analysis": [],
Copy link

Copilot AI Jan 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "analysis" array is empty, but the tool declares "ANALYSIS" in the "functions" array. When a tool has "ANALYSIS" functionality, it should specify what types of analysis it performs by including values such as "SECURITY_VULNERABILITIES", "LICENSE_REPORTING", "POLICY_EVALUATION", "RESOURCE_REPORTING", or "OUTDATED_COMPONENTS". Either populate this array with appropriate analysis types or remove "ANALYSIS" from the functions array.

Copilot uses AI. Check for mistakes.
@jkowalleck jkowalleck requested a review from a team January 23, 2026 13:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jkowalleck jkowalleck jkowalleck left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@VinnyBarton @jkowalleck @ahmadnassri