Is SPDX actually useful as an SBoM specification? I tried to add support into uSWID a few months ago and it was totally underspecified compared to SWID. Richard.

So just to confirm with the community: There is no single generator that can generate SPDX SBOMs, with dependency hierarchies, across different ecosystems (Python, Go, etc.) and for both containers &

Daniel Have a look at SBOM4Python which generates an SBOM for an installed python module including all of its dependencies (direct or indirect). And look at SBOM2dot which generates a DOT file for pro

Hi Daniel, I take it by refID you’re referring to the SPDX ID for the packages. There are a few tools out that that can build SBOM’s with the dependency maps. You can find information on some of the t

All, I feel like I'm missing something obvious here, but which SBOM generators actually generate SPDX SBOMs that (1) have refID's for the overall asset (documentDescribes), and (2) have package depend

https://www.ntia.gov/files/ntia/publications/ntia_sbom_use_cases_roles_benefits-nov2019.pdf

Hello! Congratulations to spdx for being accepted into GSoC 2023 as an organisation! I'm Rahul and I would love to contribute to fixing manifest parsers for the SPDX generator. I've gone through the r

https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Cybersecurity-Strategy-2023.pdf Note references to SBOM and NIST/CISA role in driving regulations. Thanks, Dick Brooks Active Member of t

Hello all, Max Huber of TNG Technology Consulting will be presenting on Thursday: In this presentation, Max will give a brief update of the recentdevelopment in the Python Tools. It went through a hug

Hi Keith, Please feel free to create an issue and/or a pull requests for the 2.2 JSON schema update. If there are no objections, we can merge it into the 2.2 spec branch. Thanks, Gary

Hi All, There has been a small discrepancy in the SPDX 2.2 JSON schema and the SPDX spec for a while: the 2.2 spec indicates External Reference Category should have a value of: SECURITY | PACKAGE-MANA

Dear SPDX community, We are approaching the end of the current term for several members of the SPDX Steering Committee. We are reaching out to let the community know about the upcoming nomination and

Pull request not yet approved in GH, so here are the minutes. Sorry they are ugly and indentation isn’t working right. All good in GH. #SPDX General Meeting Minutes - January 5, 2023 ## Administrative

Extending the meeting for 2023…and beyond! Please accept this recurring invitation. “Dial In” info: Join the meeting: https://meet.jit.si/SPDXGeneralMeeting To join by phone instead, tap this: +1.512.

Hi everyone! As every year, Google runs their Summer of Code program, where contributors get the opportunity to become part of Open Source communities. The SPDX Project has participated in the program

Researchers at Indiana University’s Luddy School of Informatics, Computing, and Engineering are looking for participants in the study of SBOM feature preferences. This is an online and asynchronous st

The Linux Foundation (LF) has launched The State of Open Standards Survey to capture how different organizations are involved in open standards adoption and contribution, with the aim of measuring the

Thanks, Max. I think that “bug” has been there for a while. I will endeavor to eliminate it going forward. Thanks for pointing it out. Phil From: spdx@... <spdx@...> on behalf of

Hey Phil, just checked the meeting time and there seems to be an inconsistency: 8am PT / 10 am CT / 11am ET mapps to 16:00 UTC I assume that 16:00 UTC, as it is the usual time, is right? Best Max wrot

Happy New Year, all. I hope you have a meeting on your calendar for Thursday. In case there is an issue, the conference info is included below. No special presentation this month. Also please note tha