Re: SPDX and NTIA SBOM Minimum elements #spdx


William Bartholomew (CELA)
 

This is how Microsoft has approached this:

https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/

 

The one thing I’d add is that additional identifiers would be stored in External References.

 

Regards,

 

William Bartholomew (he/him) – Let’s chat

Principal Security Strategist

Global Cybersecurity Policy – Microsoft

 

My working day may not be your working day. Please don’t feel obliged to reply to this e-mail outside of your normal working hours.

 

From: spdx@... <spdx@...> On Behalf Of Dick Brooks via lists.spdx.org
Sent: Monday, May 16, 2022 9:24 AM
To: spdx@...
Subject: [EXTERNAL] Re: [spdx] SPDX and NTIA SBOM Minimum elements #spdx

 

NTIA Framing document has the mapping you seek: see page 13

https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf

 

However the “EO 14028 NTIA min element list is a little different from the framing document list (see attached)

 

 

Thanks,

 

Dick Brooks

 

Active Member of the CISA Critical Manufacturing Sector,

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!

http://www.reliableenergyanalytics.com

Email: dick@...

Tel: +1 978-696-1788

 

From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, May 16, 2022 12:10 PM
To: spdx@...
Subject: [spdx] SPDX and NTIA SBOM Minimum elements #spdx

 

Hi , 
Is there any document reference which can be used to see mapping between SPDX tags and  NTIA Minimum elements ?  
Some element names can be easily confused , something like "Author of SBOM Data" in NTIA Minimum elements and "Creator" tag in SPDX are those same ? 

Regards
Sandeep 

Join spdx@lists.spdx.org to automatically receive all group messages.