SBOM Enrichment with GUAC & ClearlyDefined #2511
Description
Typical SBOMs (Software Bills of Materials) have dozens ... maybe hundreds/thousands of components due to dependencies/package managers that may be identified without licensing in the LicensedDeclared section. The need for additional trusted data stores to enhance or supplement this data will solve either bespoke scripting or manual efforts.
GUAC (Graph for Understanding Artifact Composition) integrates with ClearlyDefined to enhance supply chain transparency by retrieving accurate license data for software dependencies. At present, the tool can ingest an SBOM which can be queried to provide specific missing data. It would be ideal, however, to provide such licensing in a more automated fashion to enhance the LicenseConcluded section of the SBOM similar to the way that https://github.com/snyk/parlay does with the ecosyste.ms data.
Even better would be to provide choices to the users of the tool to enrich the SBOM with the data sources of their choosing from a menu based on their level of trust in the backend source of data.
Thank you for considering this request!!!