Hi Dick, Thank you so much for the explanation. I have yet to see an SPDX representation as well and trying to wrap my head around some of these SBOM challenges in the Medical Device space where

Hi Joe, Both formats satisfy the NIST VDR data requirements identified in SP 800-161 RA-5, IMO. REA uses an explicit model, listing each component and its vulnerability search status,

Hello Dick, You stated the REA has offered to withdraw it’s VDR format if the industry agrees to endorse the CycloneDX VDR format. Can you provide more details on the similarities and

May, Thank you for the quick response. With regard to testing; some of the spdx tool vendors conduct interoperability testing by sharing artifacts and reporting on any issues encountered. The

Dick, Thank you for your questions. 1. Our spdx-based IoT SBOM is available to all our customers. I am not sure about the specific "testing purposes" you are referring to, happy to talk more

Looks like SPDX JSON is generated by default, see [1]. [1]: https://github.com/microsoft/vcpkg/issues/30461#issuecomment-1485245851 -- Sebastian Schuberth

Hey all, If anyone happens to be using or familiar with Microsoft's vcpkg tool (using it to manage dependencies for a C++ project), do you know if there's a way to generate an SBOM from it? Their

Thanks May. Two questions: Is the SPDX artifact available to use for testing purposes? Is Palo Alto Networks also planning to issue NIST SBOM Vulnerability Disclosure Reports (VDR) that will be

Thank you, Phil, the members of the SPDX Steering Committee, and the SPDX Community. I am grateful for the fruitful year we have had working together. This year, we released the first loT SBOM

All, It hit me, out of the blue when I awoke this morning, that in Thursday’s General Meeting I neglected to mention and give thanks to May Wang for her contributions in serving on the Steering

Joe, Thanks so much for doing this and sharing the slides. Inspiring! From:spdx@... <spdx@...> on behalf of Joe Bussell via lists.spdx.org <joe.bussell=microsoft.com@...> Date: Thursday, April 6,

I am sorry that the tech did not serve us well today. I also have reports of people from Microsoft who joined an empty meeting. There were 20 attendees this morning who did listen to my talk. I

we are experiencing technical difficulties, but everyone is rejoining at https://meet.jit.si/SPDXGeneralMeeting - so please try again

Is the meeting running? Several people in the meeting below with no activity…

SBOMs in the Windows supply chain, an SPDX success story - Joe Bussell, Microsoft Abstract: Joe will discuss the implementation of validation of SBOMs representing software packages in the Windows

Thanks Anthony! Very cool tools! Gary

It is good to see these tools being created and hopefully helping users understand the contents of an SBOM without having to become fluent in JSON or other formats :-). I have produced sbom2doc

Hi Sandeep and Rose, how do you guys test the presence of all the components after merging? I have built the spdx file visualizer. Check the sample screenshot. https://github.com/dineshr93/sq#sample

Moving this thread to the spdx-tech list. The main spdx mail list is supposed to be low volume, for announcements. The developers at github are working to address the issues, let's give them some

I have experimented with it and have the following observations: 1. All license information is marked as NOASSERTION (all files in the Git Repo have SPDX license ids in the files) 2. There are no