Hoping to meet some people at this supply chain technical conference in Washington on December 7. Please come out and show your support for SBOM in software supply chains and meet many of the people w

Steve, SBOM’s are created to serve a purpose, for example some SBOM’s are used for license management, some are used for dependency tracking and the one I’m most familiar with is an SBOM used by a sof

REA is pleased to announce the general availability of SAG-PM Version 1.2 with support for SPDX V 2.3 and CycloneDX V 1.4. This release satisfies the requirements outlined on OMB memo M-22-18 publishe

Sandeep, I’m not aware of any specific guidelines for signing SBOM’s (SPDX and CycloneDX). REA’s signs SBOM’s using PGP as this seems to be the easiest method to sign stand-alone text files, including

#spdx

Sandeep, A good example of a VEX advisory is provided by Siemens in their log4j advisory: https://cert-portal.siemens.com/productcert/csaf/ssa-661247.json NOTE: VEX’s are vulnerability centric, where

#spdx

Sandeep, NIST also recommends that vendors and consumers “Maintain vendor vulnerability disclosure reports at the SBOM component level.” See 5/5 guidance: https://www.nist.gov/itl/executive-order-1402

#spdx

Steve, Regarding: “I have no opinion on end-of-life either way, but wouldn’t the same argument apply to security vulnerabilities?” Yes, if a software vendor chooses to list each known vulnerability wi

#spdx

I agree: “I would suggest to keep this information "out of band" and not inside SPDX documents” Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council

#spdx

You’re welcome. You will most likely need SPDX V2.3 if you have any “FILE” components that need to specify version info. The new PackagePurpose field supports the version info for “FILE” artifacts. Th

#spdx

NTIA Framing document has the mapping you seek: see page 13 https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf However the “EO 14028 NTIA min element list is a lit

#spdx

Kate and Sandeep, Our customers are also interested in this information. There are two concepts to consider: Commercial Status: <enumeration value="Available"></enumeration> <enumeration value="Retire

#spdx

Thanks, Rose – much appreciate the quick response and for all that you do for the SPDX community. Looking forward to participating in the DocFest. Cheers and best regards, Dick Brooks Never trust soft

Rose, Where can I find the target set objects to create/submit an SPDX SBOM? Thanks, Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@re

Phil, I just checked on REA’s LF membership status and it appears the lowest cost tier is $5,000 to become a LF member. Please confirm my understanding is correct that $5,000 is the lowest cost member

Thanks, Phil. 100% agree with you. Thanks, Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-

Thanks, Phil. Kate/Gary, please let me know if there is anything I can do to help with a cyber risk assessment use case – I’m happy to contribute and learn. Thanks, Dick Brooks Never trust software, a

Phil, I had to attend a CISA meeting held at the same time as the SPDX meeting; I didn’t see any info in the minutes regarding the work on profiles. Any updates to share on the progress to support pro

Thanks, Phil – I’m very much looking forward to the configurable profiles capability. Thanks, Dick Brooks Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email

Phil, Minimal SBOM elements specified by NTIA for Executive Order (EO) 14028 do not include license data element requirements (see attached). The EO and the NTIA SBOM minimal elements focus on Cyber r

I just realized that the DocFest will be demonstrating interoperability of an ISO standard SBOM. Great timing getting the ISO standard status before the 9/16 DocFest. Very cool! Thanks, Dick Brooks Ne