Re: SPDX Generator with RefIDs and package hierarchy
Richard,toggle quoted message Show quoted text
REA has effectively used SPDX and CycloneDX SBOM formats to conduct software supply chain risk assessments since 2021. I suggest using the latest SPDX SBOM version, 2.3.
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Richard Hughes
Sent: Thursday, March 16, 2023 11:57 AM
Subject: Re: [spdx] SPDX Generator with RefIDs and package hierarchy
On Thu, 16 Mar 2023 at 14:40, <daniel@...> wrote:
but we're also looking to support SPDX as well.Is SPDX actually useful as an SBoM specification? I tried to add support into uSWID a few months ago and it was totally underspecified compared to SWID.