Re: Taxonomy of software supply chain ecosystem?
There's been some great work in the OSS Compliance Tooling Group which addresses this – if you're asking what I think you're asking. See:
(it is, however, restricted to FOSS tools, given the charter of the group, but the taxonomy in CapabilityMap is generally applicable.)
From: spdx@... <spdx@...> On Behalf Of Kate Stewart
Sent: 17 November 2021 22:35
To: SPDX-general <spdx@...>
Subject: Re: [spdx] Taxonomy of software supply chain ecosystem?
There's been some industry wide agreement on the taxonomy to use to classify tools here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.
We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX
Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy, please fill in the template and add a comment. Jack's done a great job in moving what we've got in that document to our website.
Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real.