SPDX and NTIA SBOM Minimum elements #spdx
NTIA Framing document has the mapping you seek: see page 13
https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf
However the “EO 14028 NTIA min element list is a little different from the framing document list (see attached)
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
Sent: Monday, May 16, 2022 12:10 PM
To: spdx@...
Subject: [spdx] SPDX and NTIA SBOM Minimum elements #spdx
Hi ,
Is there any document reference which can be used to see mapping between SPDX tags and NTIA Minimum elements ?
Some element names can be easily confused , something like "Author of SBOM Data" in NTIA Minimum elements and "Creator" tag in SPDX are those same ?
Regards
Sandeep
Thanks you Dick, This is useful
Sent: Monday, May 16, 2022 9:54 PM
To: spdx@...
Subject: Re: [spdx] SPDX and NTIA SBOM Minimum elements #spdx
|
You don't often get email from dick=reliableenergyanalytics.com@.... Learn why this is important |
Caution: This e-mail originated from outside of Philips, be careful for phishing.
NTIA Framing document has the mapping you seek: see page 13
https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf
However the “EO 14028 NTIA min element list is a little different from the framing document list (see attached)
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
From: spdx@... <spdx@...>
On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, May 16, 2022 12:10 PM
To: spdx@...
Subject: [spdx] SPDX and NTIA SBOM Minimum elements #spdx
Hi ,
Is there any document reference which can be used to see mapping between SPDX tags and NTIA Minimum elements ?
Some element names can be easily confused , something like "Author of SBOM Data" in NTIA Minimum elements and "Creator" tag in SPDX are those same ?
Regards
Sandeep
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
You’re welcome.
You will most likely need SPDX V2.3 if you have any “FILE” components that need to specify version info. The new PackagePurpose field supports the version info for “FILE” artifacts.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
Sent: Monday, May 16, 2022 12:31 PM
To: spdx@...
Subject: Re: [spdx] SPDX and NTIA SBOM Minimum elements #spdx
Thanks you Dick, This is useful
You don't often get email from dick=reliableenergyanalytics.com@.... Learn why this is important |
Caution: This e-mail originated from outside of Philips, be careful for phishing.
NTIA Framing document has the mapping you seek: see page 13
https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf
However the “EO 14028 NTIA min element list is a little different from the framing document list (see attached)
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, May 16, 2022 12:10 PM
To: spdx@...
Subject: [spdx] SPDX and NTIA SBOM Minimum elements #spdx
Hi ,
Is there any document reference which can be used to see mapping between SPDX tags and NTIA Minimum elements ?
Some element names can be easily confused , something like "Author of SBOM Data" in NTIA Minimum elements and "Creator" tag in SPDX are those same ?
Regards
Sandeep
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.
This is how Microsoft has approached this:
The one thing I’d add is that additional identifiers would be stored in External References.
Regards,
William Bartholomew (he/him) – Let’s chat
Principal Security Strategist
Global Cybersecurity Policy – Microsoft
My working day may not be your working day. Please don’t feel obliged to reply to this e-mail outside of your normal working hours.
Sent: Monday, May 16, 2022 9:24 AM
To: spdx@...
Subject: [EXTERNAL] Re: [spdx] SPDX and NTIA SBOM Minimum elements #spdx
NTIA Framing document has the mapping you seek: see page 13
https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf
However the “EO 14028 NTIA min element list is a little different from the framing document list (see attached)
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector,
Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: dick@...
Tel: +1 978-696-1788
From: spdx@... <spdx@...>
On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, May 16, 2022 12:10 PM
To: spdx@...
Subject: [spdx] SPDX and NTIA SBOM Minimum elements #spdx
Hi ,
Is there any document reference which can be used to see mapping between SPDX tags and NTIA Minimum elements ?
Some element names can be easily confused , something like "Author of SBOM Data" in NTIA Minimum elements and "Creator" tag in SPDX are those same ?
Regards
Sandeep