|
Re: End Of Life Tag in spdx
#spdx
Armijn said:
> Current information inside SPDX documents is largely static […]
> This would make SPDX a lot more cumbersome, as not only do the documents need to be generated, but they also need
Armijn said:
> Current information inside SPDX documents is largely static […]
> This would make SPDX a lot more cumbersome, as not only do the documents need to be generated, but they also need
|
By
Steve Kilbane
·
#1524
·
|
|
Re: End Of Life Tag in spdx
#spdx
I agree: “I would suggest to keep this information "out of band" and not inside SPDX documents”
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector
I agree: “I would suggest to keep this information "out of band" and not inside SPDX documents”
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector
|
By
Dick Brooks
·
#1523
·
|
|
Re: End Of Life Tag in spdx
#spdx
hello,
I would suggest to keep this information "out of band" and not inside SPDX documents. Current information inside SPDX documents is largely static: package, license,
hello,
I would suggest to keep this information "out of band" and not inside SPDX documents. Current information inside SPDX documents is largely static: package, license,
|
By
Armijn Hemel - Tjaldur Software Governance Solutions
·
#1522
·
|
|
Re: SPDXID
#spdx
Hi Sandeep,
Although the SPDX ID is internal to SPDX documents, you can refer to an SPDX ID in a different document using the SPDX Document identifier as defined in section 6.6. So the statement
Hi Sandeep,
Although the SPDX ID is internal to SPDX documents, you can refer to an SPDX ID in a different document using the SPDX Document identifier as defined in section 6.6. So the statement
|
By
Gary O'Neall
·
#1521
·
|
|
Re: SPDXID
#spdx
Hi Gary,
Thanks for reply, then SPDXID will be mostly internal ID and can not be referenced externally, Do you think this might need some change in SPDXID documentation statement ?
"Uniquely
Hi Gary,
Thanks for reply, then SPDXID will be mostly internal ID and can not be referenced externally, Do you think this might need some change in SPDXID documentation statement ?
"Uniquely
|
By
Patil, Sandeep
·
#1520
·
|
|
FYI: SPDX in the OpenSSF Mobilization Plan
Some of you probably know that OpenSSF met with a bunch of US Federal organizations in Washington DC last week to discuss cyber security wrt the open source software supply chain. (our own Kate and
Some of you probably know that OpenSSF met with a bunch of US Federal organizations in Washington DC last week to discuss cyber security wrt the open source software supply chain. (our own Kate and
|
By
VM (Vicky) Brasseur
·
#1519
·
|
|
Re: SPDXID
#spdx
Hi Sandeep – Moving the conversation over to the SPDX-tech mailing list.
Unfortunately, adding in a CPE ID or pURL would include characters disallowed in the SPDX ID.
Fortunately, there is a
Hi Sandeep – Moving the conversation over to the SPDX-tech mailing list.
Unfortunately, adding in a CPE ID or pURL would include characters disallowed in the SPDX ID.
Fortunately, there is a
|
By
Gary O'Neall
·
#1518
·
|
|
Re: SPDX and NTIA SBOM Minimum elements
#spdx
This is how Microsoft has approached this:
https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/
The one thing I’d add is
This is how Microsoft has approached this:
https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/
The one thing I’d add is
|
By
William Bartholomew (CELA)
·
#1517
·
|
|
Re: SPDX and NTIA SBOM Minimum elements
#spdx
You’re welcome.
You will most likely need SPDX V2.3 if you have any “FILE” components that need to specify version info. The new PackagePurpose field supports the version info for “FILE”
You’re welcome.
You will most likely need SPDX V2.3 if you have any “FILE” components that need to specify version info. The new PackagePurpose field supports the version info for “FILE”
|
By
Dick Brooks
·
#1516
·
|
|
Re: SPDX and NTIA SBOM Minimum elements
#spdx
Thanks you Dick, This is useful
From: spdx@... <spdx@...> On Behalf OfDick Brooks via lists.spdx.org
Sent: Monday, May 16, 2022 9:54 PM
To: spdx@...
Subject: Re: [spdx] SPDX and NTIA SBOM Minimum
Thanks you Dick, This is useful
From: spdx@... <spdx@...> On Behalf OfDick Brooks via lists.spdx.org
Sent: Monday, May 16, 2022 9:54 PM
To: spdx@...
Subject: Re: [spdx] SPDX and NTIA SBOM Minimum
|
By
Patil, Sandeep
·
#1515
·
|
|
Re: SPDX and NTIA SBOM Minimum elements
#spdx
NTIA Framing document has the mapping you seek: see page 13
https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf
However the “EO 14028 NTIA min element list
NTIA Framing document has the mapping you seek: see page 13
https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf
However the “EO 14028 NTIA min element list
|
By
Dick Brooks
·
#1514
·
|
|
SPDX and NTIA SBOM Minimum elements
#spdx
Hi ,
Is there any document reference which can be used to see mapping between SPDX tags and NTIA Minimum elements ?
Some element names can be easily confused , something like "Author of SBOM Data"
Hi ,
Is there any document reference which can be used to see mapping between SPDX tags and NTIA Minimum elements ?
Some element names can be easily confused , something like "Author of SBOM Data"
|
By
Patil, Sandeep
·
#1513
·
|
|
SPDXID
#spdx
Hi ,
I have query regarding SPDXID , Can this be expressed along with CPE or pURL something like
"SPDXRef-[cpe id]" or "SPDXRef-[pURL]"
Any further guidance on this will help.
Regards
Sandeep
Hi ,
I have query regarding SPDXID , Can this be expressed along with CPE or pURL something like
"SPDXRef-[cpe id]" or "SPDXRef-[pURL]"
Any further guidance on this will help.
Regards
Sandeep
|
By
Patil, Sandeep
·
#1512
·
|
|
Re: End Of Life Tag in spdx
#spdx
Kate and Sandeep,
Our customers are also interested in this information. There are two concepts to consider:
Commercial Status:
<enumeration value="Available"></enumeration>
Kate and Sandeep,
Our customers are also interested in this information. There are two concepts to consider:
Commercial Status:
<enumeration value="Available"></enumeration>
|
By
Dick Brooks
·
#1511
·
|
|
Re: End Of Life Tag in spdx
#spdx
Hi Sandeep,
There is a pull request expected shortly from the Usage profile team, to add this specific field to 2.3.
When it comes in, please feel free to review and make sure it's going to
Hi Sandeep,
There is a pull request expected shortly from the Usage profile team, to add this specific field to 2.3.
When it comes in, please feel free to review and make sure it's going to
|
By
Kate Stewart
·
#1510
·
|
|
End Of Life Tag in spdx
#spdx
Hi All,
We have requirement to specify End Of Life as part of package information in SBoM ,
Is there way current SPDX format support this ?
Regards
Sandeep
Hi All,
We have requirement to specify End Of Life as part of package information in SBoM ,
Is there way current SPDX format support this ?
Regards
Sandeep
|
By
Patil, Sandeep
·
#1509
·
|
|
Re: SPDX Thurs General Meeting Reminder
The video has been posted here:
https://www.youtube.com/watch?v=8X5PWa7A6pY&list=PLciqFgcGu7TvR_f3aKZHkozX0WIs-N7vc&index=7
Thanks again to Joshua for sharing with us!
The video has been posted here:
https://www.youtube.com/watch?v=8X5PWa7A6pY&list=PLciqFgcGu7TvR_f3aKZHkozX0WIs-N7vc&index=7
Thanks again to Joshua for sharing with us!
|
By
Kate Stewart
·
#1508
·
|
|
Re: SPDX Thurs General Meeting Reminder
Hello,
Is it possible to get the recording from the April SPDX meeting?
Thanks.
Christopher D. Lusk
Product Security Analyst
Product Security Office
Lenovo
clusk@...
Hello,
Is it possible to get the recording from the April SPDX meeting?
Thanks.
Christopher D. Lusk
Product Security Analyst
Product Security Office
Lenovo
clusk@...
|
By
Christopher Lusk
·
#1507
·
|
|
SPDX Thurs General Meeting Reminder
No special presentation this month, but I will announce this year’s recently added Member Reps and provide a little review of this aspect of the governance process.
GENERAL MEETING
Meeting
No special presentation this month, but I will announce this year’s recently added Member Reps and provide a little review of this aspect of the governance process.
GENERAL MEETING
Meeting
|
By
Phil Odence
·
#1506
·
|
|
~24 hours left to propose SPDX talks to All Things Open!
All Things Open (ATO) is one of the largest open source conferences in the world now. In 2022 it’ll be in-person only, in its normal location of the Raleigh Convention Center in Raleigh, North
All Things Open (ATO) is one of the largest open source conferences in the world now. In 2022 it’ll be in-person only, in its normal location of the Raleigh Convention Center in Raleigh, North
|
By
VM (Vicky) Brasseur
·
#1505
·
|