Linking Build Versions, Scans and SBOMs

Version tagging allows Community Edition users to link SOOS scans to released versions of their open source packages. This ensures that when users download an SBOM (in CycloneDX or VEX format), any vulnerability attestations are properly reflected for the version being downloaded.

Use the --buildNumber parameter or equivalent to pass the build number to SOOS for each scan. Alternatively, versions can be manually added or adjusted using the Version Chip under the Project or Project History.

For GitHub app integrations SOOS supports reading a version file named soos_version.txt from your repo. This fine contains the desired version and no other text. This file can be updated automatically from the build process prior to running a SOOS scan and will be preferred over any version value provided in a manifest.

If you already have a version text file that you wish to use, you can specify the file name in your GitHub Configurations.