Steve, Regarding: “I have no opinion on end-of-life either way, but wouldn’t the same argument apply to security vulnerabilities?” Yes, if a software vendor chooses to list each known vulnerability wi

#spdx

I agree: “I would suggest to keep this information "out of band" and not inside SPDX documents” Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council

#spdx

You’re welcome. You will most likely need SPDX V2.3 if you have any “FILE” components that need to specify version info. The new PackagePurpose field supports the version info for “FILE” artifacts. Th

#spdx

NTIA Framing document has the mapping you seek: see page 13 https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf However the “EO 14028 NTIA min element list is a lit

#spdx

Kate and Sandeep, Our customers are also interested in this information. There are two concepts to consider: Commercial Status: <enumeration value="Available"></enumeration> <enumeration value="Retire

#spdx

Thanks, Rose – much appreciate the quick response and for all that you do for the SPDX community. Looking forward to participating in the DocFest. Cheers and best regards, Dick Brooks Never trust soft

Rose, Where can I find the target set objects to create/submit an SPDX SBOM? Thanks, Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@re

Phil, I just checked on REA’s LF membership status and it appears the lowest cost tier is $5,000 to become a LF member. Please confirm my understanding is correct that $5,000 is the lowest cost member

Thanks, Phil. 100% agree with you. Thanks, Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-

Thanks, Phil. Kate/Gary, please let me know if there is anything I can do to help with a cyber risk assessment use case – I’m happy to contribute and learn. Thanks, Dick Brooks Never trust software, a

Phil, I had to attend a CISA meeting held at the same time as the SPDX meeting; I didn’t see any info in the minutes regarding the work on profiles. Any updates to share on the progress to support pro

Thanks, Phil – I’m very much looking forward to the configurable profiles capability. Thanks, Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email

Phil, Minimal SBOM elements specified by NTIA for Executive Order (EO) 14028 do not include license data element requirements (see attached). The EO and the NTIA SBOM minimal elements focus on Cyber r

I just realized that the DocFest will be demonstrating interoperability of an ISO standard SBOM. Great timing getting the ISO standard status before the 9/16 DocFest. Very cool! Thanks, Dick Brooks Ne

A truly amazing achievement – well done and congratulations to Kate and the entire SPDX and Linux Foundation community that made this happen. So much looking forward to advancing SPDX interoperability