Component Quality in sbomqs: Moving Beyond Static Checks to Real Component Health
Hey SBOM community 👋 If you’ve been using sbomqs for a while, you know it does a solid job of telling you what’s in your SBOM, not just that fields exist, but what values they actually hold. Names, versions, licenses, suppliers, checksums, PURLs, CPEs — every field and its corresponding value, laid out right there in your SBOM. And when something’s missing? The score command returns a 0 score on it so you can’t miss it, while the list command shows you exactly which components are empty and which ones have real values. It’s a transparent, no-nonsense way to audit your SBOM’s contents. ...