Shouldn’t this be done by creating a third SBOM that refers back to the subordinate SBOMs, including all three in the result chain? From: spdx@... <spdx@...> On Behalf OfGary O'Neall via

Hi, I’m currently working on a composer tool that supports merging. Shortly to be open-sourced. Best, Ivana --- Ivana Atanasova Open Source Engineer VMware Open Source Program

I’m not aware of a tool that currently supports merging. There is an issue open on the SPDX Java tools – any java programmers out there who would like to volunteer a solution is welcome to create

Cosign also has a format for doing this: https://github.com/sigstore/cosign/blob/main/specs/SBOM_SPEC.md (Different from the attestation i just sent)

I've been signing and uploading them with sigstore as an intoto predicate, but not using the intoto specified spdx schema but instead pointing to a URI. Since sigstore has a limit on attestation size

May as well throw out a plug forhttps://openssf.org/, and for https://www.sigstore.dev/ in particular, here. A recent* Open Source Summit session gave an example of signing SBOMs using sigstore,

Sandeep, I know it is not a guideline. But we generally use sigstore/cosign to sign SBOMs. In a near future, we might start injecting the SBOM as part of an in-toto attestation, so it is signed and

Sandeep, I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX). REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text

Hi All, Is there any guidelines to sign SPDX file ? Regards Sandeep

Hi All, Is there any tool to merge two spdx file ? Regards Sandeep

Special Presentation this month by Matthew Crawford from Arm: Title A new era for SPDX at Arm, are we ready for change? Let me walk you through the journey of open source software compliance at

I hope you are all ready for the upcoming pains in the next few years. Transitioning Fedora to SPDX is not going to be a happy time for a little while, since there's a huge impedance mismatch between

Nice. This certainly makes it easy to map from Fedora to SPDX IDs! SPDX license identifiers have emerged as a standard Woo hoo! From:Spdx-legal@... <Spdx-legal@...> on behalf of Steve

Jilayne, this is awesome news -- thanks for passing it along! Looking forward to us working with the Fedora community to support them adding SPDX license IDs across the distro. Steve

Hot off the press! Link to blog post of this here:https://communityblog.fedoraproject.org/important-changes-to-software-license-information-in-fedora-packages-spdx-and-more/

Greetings all, The SPDX spec version 2.3 is now available for review at https://spdx.github.io/spdx-spec/v2.3-RC1/. A summary of the changes can be found in the SPEC Annex I. If you

Hi all, Again, this conversation belongs on the SPDX-legal mailing list, not the SPDX-general list. I tried to remedy this early on, but somehow SPDX-legal got dropped and it went back to

 Yes that’s it. I think AND alone could be (and might widely be) misconstrued as to what state is actually being represented. One solution is for people and tools to correctly understand the

SPDX is a compliance tool. It's designed to help people comply with their obligations. It doesn't cover every possible eventuality, and this situation falls outside the spec. IMHO. Having said that,

McCoy, Your example was about snippets in files, but this also happens one level up: If there are some files under License-A and some files under License-B, how do you express the license of a