Daniel Have a look at SBOM4Python which generates an SBOM for an installed python module including all of its dependencies (direct or indirect). And look at SBOM2dot which generates a DOT file for

Hi Daniel, I take it by refID you’re referring to the SPDX ID for the packages. There are a few tools out that that can build SBOM’s with the dependency maps. You can find information on

All, I feel like I'm missing something obvious here, but which SBOM generators actually generate SPDX SBOMs that (1) have refID's for the overall asset (documentDescribes), and (2) have package

https://www.ntia.gov/files/ntia/publications/ntia_sbom_use_cases_roles_benefits-nov2019.pdf -- Alfred Strauch President SmartTalk Security Inc. Bus: 306-5291442 Email: alfred@... Web:

Hello! Congratulations to spdx for being accepted into GSoC 2023 as an organisation! I'm Rahul and I would love to contribute to fixing manifest parsers for the SPDX generator. I've gone through the

https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf Note references to SBOM and NIST/CISA role in driving regulations. Thanks, Dick Brooks

Hello all, Max Huber of TNG Technology Consulting will be presenting on Thursday: In this presentation, Max will give a brief update of the recentdevelopment in the Python Tools. It went through a

Hi Keith, Please feel free to create an issue and/or a pull requests for the 2.2 JSON schema update. If there are no objections, we can merge it into the 2.2 spec branch. Thanks, Gary

Hi All, There has been a small discrepancy in the SPDX 2.2 JSON schema and the SPDX spec for a while: the 2.2 spec indicates External Reference Category should have a value of: SECURITY |

Dear SPDX community, We are approaching the end of the current term for several members of the SPDX Steering Committee. We are reaching out to let the community know about the upcoming nomination

Pull request not yet approved in GH, so here are the minutes. Sorry they are ugly and indentation isn’t working right. All good in GH. #SPDX General Meeting Minutes - January 5, 2023 ##

Extending the meeting for 2023…and beyond! Please accept this recurring invitation. “Dial In” info: Join the meeting: https://meet.jit.si/SPDXGeneralMeeting To join by phone instead,

Hi everyone! As every year, Google runs their Summer of Code program, where contributors get the opportunity to become part of Open Source communities. The SPDX Project has participated in the

Researchers at Indiana University’s Luddy School of Informatics, Computing, and Engineering are looking for participants in the study of SBOM feature preferences. This is an online and asynchronous

The Linux Foundation (LF) has launched The State of Open Standards Survey to capture how different organizations are involved in open standards adoption and contribution, with the aim of measuring the

Thanks, Max. I think that “bug” has been there for a while. I will endeavor to eliminate it going forward. Thanks for pointing it out. Phil From:spdx@... <spdx@...> on behalf of Maximilian

Hey Phil, just checked the meeting time and there seems to be an inconsistency: 8am PT / 10 am CT / 11am ET  mapps to  16:00 UTC I assume that 16:00 UTC, as it is the usual time, is

Happy New Year, all. I hope you have a meeting on your calendar for Thursday. In case there is an issue, the conference info is included below. No special presentation this month. Also please

Hello SPDX community! I am the ecosystem manager for Linux Foundation Research and we have recently launched The State of Open Standards Survey to capture how different organizations are involved in

‘‘SEC. 524B. ENSURING CYBERSECURITY OF DEVICES. ‘‘(3) provide to the Secretary a software bill of 20 materials, including commercial, open-source, and 21 off-the-shelf software