> scanning source code: it will generate also lot of false positive and a need to manually edit (ammend/correct) the SBOM
Can you give any examples of this? I’ve never seen a tool like this report a true-false positive but based on your mention of embedded tools I’m guessing you might be referring to something like a build dependency which is completely optimized out such as a debugging feature on a production build? In such cases I would be inclined to either prepare separate SBOMs or otherwise indicate when something is present but not reachable. My concern about editing the files is that these are intended in a somewhat legalistic context and if something blew up it’s not hard to imagine someone’s lawyer using those changes to argue that you were aware of a problem and tried to cover it up. Even if you could defend your policy, that’s not a conversation anyone wants to have.
example would be trying to create the sbom on a build server which is meant to produce the artifact. and you're only intersted in what your artifact needs (pulls in). How would any tool know what to include in an SBOM?
because normally the sbom generation tool will try to query your package manager, whether thats rpm, dpkg or pypi and others to try to understand what it sees. so looking at the build stage might include a lot more (tool chain etc).
most commercual tools eould cater for this b6 alliwing you to rectify incomplete or wrong information.
the problem you mention, liability, is an important one. if the law requires the sbom to be correct then this is a problem humans need to verify. and tgats really annoying.
Can you give any examples of this? I’ve never seen a tool like this report a true-false positive but based on your mention of embedded tools I’m guessing you might be referring to something like a build dependency which is completely optimized out such as a debugging feature on a production build? In such cases I would be inclined to either prepare separate SBOMs or otherwise indicate when something is present but not reachable. My concern about editing the files is that these are intended in a somewhat legalistic context and if something blew up it’s not hard to imagine someone’s lawyer using those changes to argue that you were aware of a problem and tried to cover it up. Even if you could defend your policy, that’s not a conversation anyone wants to have.