Hi,
i just started to make some sboms in json format and we got one from adobe reader. why are the self generated sbom so different?
I dont find packages or used libraries of the company sbom on my generated sbom with one except: sqlite.
can anyone explain me why it is?
Can i make it similar?
On what sbom i can more trust? of a company or of the generator?
Its important to have clear and correct sbom files for me, but iam not into the topic enough to say more about it.
Iam thankfully for help.
i used this command: syft.exe "C:\Program Files (x86)\Adobe\Acrobat Reader 2020" --select-catalogers "+sbom-cataloger" -o [cyclonedx-json=syft-adobe_reader-sbom.json](mailto:cyclonedx-json@1.5=syft-adobe_reader-sbom.json) && jq.exe . syft-adobe_reader-sbom.json
thanks
Hi @corincorvus, thanks for the post!
I don’t understand your question. Can you help me understand?
I think you’re saying that you generated an SBOM by pointing Syft at the directory on your computer where Adobe Acrobat is installed, and it doesn’t look how you expected, but I’m not sure that’s what you’re saying. I don’t know what “why are the self generated sbom so different?” means. What’s a “self generated sbom”? What is it different from? Did you mean to right “syft generated sbom”?
I think what you’re saying is this:
- You’re scanning some directory with Syft to get a Syft SBOM
- You have some other source for an SBOM of the same directory
- You’re surprised how different they are, and want to know which one is right.
Do I have that right? What is the source of the other SBOM? Do you need an SBOM of Adobe Acrobat in particular, or is that just an example you’re using?