Re: SPDX Generator with RefIDs and package hierarchy

Dick Brooks


REA has effectively used SPDX and CycloneDX SBOM formats to conduct software supply chain risk assessments since 2021. I suggest using the latest SPDX SBOM version, 2.3.


Dick Brooks

Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership

Never trust software, always verify and report! ™
Email: dick@...
Tel: +1 978-696-1788

-----Original Message-----
From: spdx@... <spdx@...> On Behalf Of Richard Hughes
Sent: Thursday, March 16, 2023 11:57 AM
To: spdx@...
Subject: Re: [spdx] SPDX Generator with RefIDs and package hierarchy

On Thu, 16 Mar 2023 at 14:40, <daniel@...> wrote:
but we're also looking to support SPDX as well.
Is SPDX actually useful as an SBoM specification? I tried to add support into uSWID a few months ago and it was totally underspecified compared to SWID.


Join { to automatically receive all group messages.