Managing dependencies in non-manifest languages
riteshnoronh
·
2026-05-01
·
via Hacker News: Ask HN
Automated Software Composition Analysis (SCA) tools are unreliable in C/C++, embedded, legacy, and hybrid codebases. They produce false positives, miss vendored and patched components, and have no story for per-build-variant SBOMs. For these projects, the practical workflow is for developers to curate component metadata by hand and generate a compliant SBOM from it deterministically, reproducibly, and at per-artifact granularity. We have seen this pattern at many organizations, we wanted to create some basic standardizations to help capture the intent. https://github.com/interlynk-io/bomtique If you are working in non-manifest based languages and have CRA regulations requiring you to create SBOM, give it a shot and let us know if this helps. An overview of how it can be used https://github.com/interlynk-io/bomtique/blob/main/docs/getting-started.md If you use AI coding agents, use the prompt below to get started. https://github.com/interlynk-io/bomtique/blob/main/prompts/agent-onboarding.md Comments URL: https://news.ycombinator.com/item?id=47968391 Points: 1 # Comments: 0
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。