Re: Taxonomy of software supply chain ecosystem?
|
VM (Vicky) Brasseur
Yessssss…
It’ll take a while to get through it all, but this will be very helpful for us. Many thanks, Steve and Tooling Group Team!
--V
-- VM (Vicky) Brasseur Director, Senior Strategy Advisor Open Source Program Office Wipro Limited Time Zone: Pacific/West Coast US
From:
<spdx@...> on behalf of "Steve Kilbane via lists.spdx.org" <stephen.kilbane=analog.com@...>
CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
Hi Vicky,
There's been some great work in the OSS Compliance Tooling Group which addresses this – if you're asking what I think you're asking. See:
https://github.com/Open-Source-Compliance/Sharing-creates-value/tree/master/Tooling-Landscape
(it is, however, restricted to FOSS tools, given the charter of the group, but the taxonomy in CapabilityMap is generally applicable.)
steve
From: spdx@... <spdx@...>
On Behalf Of Kate Stewart
There's been some industry wide agreement on the taxonomy to use to classify tools here: https://www.ntia.gov/files/ntia/publications/ntia_sbom_tooling_taxonomy-2021mar30.pdf I think the path of least pain is to align with it, unless there are some tools that just don't fit in the taxonomy.
We've been collecting the tools we're aware of that work with SPDX, and grouped within the taxonomy here: http://tiny.cc/SPDX
Which is an open for comments, so if you spot a tool that works with SPDX and you don't see it in the taxonomy, please fill in the template and add a comment. Jack's done a great job in moving what we've got in that document to our website.
Long term solution here is to move this collection to SPDX's github and generate automatically via a landscape onto the web pages, but that's a WIP that Sebastian's helping us make real.
That help?
Kate
On Wed, Nov 17, 2021 at 3:33 PM VM (Vicky) Brasseur via
lists.spdx.org <vm.brasseur=wipro.com@...> wrote:
|
|
|
|