Replies: 1 comment 3 replies
-
|
@hari326, cdxgen doesn't require frontend applications to be built and can entirely operate from the lock files (package-lock.json, yarn.lock) alone. Try passing |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the comment. Let me try and get back |
Beta Was this translation helpful? Give feedback.
-
|
@prabhu Sorry a following question here. we majorly have repo's with javascript and java. so is there a way to pass multiple language types to -t like "-t java js" or should we run the scan multiple times? |
Beta Was this translation helpful? Give feedback.
-
|
@hari326 package detection is automatic, so if you leave out the |
Beta Was this translation helpful? Give feedback.
-
Hello,
I'm uncertain whether this feature has already been integrated, but the issue at hand revolves around our intention to integrate "cdxgen" into our Continuous Integration/Continuous Deployment (CI/CD) pipelines to gather Software Bill of Materials (SBOMs). The challenge we face primarily concerns front-end applications with extensive dependencies/packages, resulting in prolonged execution times when fetching SBOMs. This time delay persists even when the package list remains unchanged, impacting our overall build time. Given that we run numerous pipelines across our repositories, we are exploring options for caching the previous SBOM and utilizing it if there have been no alterations in the dependencies.
Any suggestions here will help.
Beta Was this translation helpful? Give feedback.
All reactions