SPDX and NTIA SBOM Minimum elements #spdx
|
Patil, Sandeep
Hi ,
Is there any document reference which can be used to see mapping between SPDX tags and NTIA Minimum elements ? Some element names can be easily confused , something like "Author of SBOM Data" in NTIA Minimum elements and "Creator" tag in SPDX are those same ? Regards Sandeep |
|||
|
|
|||
|
NTIA Framing document has the mapping you seek: see page 13 https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf
However the “EO 14028 NTIA min element list is a little different from the framing document list (see attached)
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, May 16, 2022 12:10 PM To: spdx@... Subject: [spdx] SPDX and NTIA SBOM Minimum elements #spdx
Hi , |
|||
|
|
|||
|
Patil, Sandeep
Thanks you Dick, This is useful
From: spdx@... <spdx@...> On Behalf Of
Dick Brooks via lists.spdx.org
Sent: Monday, May 16, 2022 9:54 PM To: spdx@... Subject: Re: [spdx] SPDX and NTIA SBOM Minimum elements #spdx
Caution: This e-mail originated from outside of Philips, be careful for phishing.
NTIA Framing document has the mapping you seek: see page 13 https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf
However the “EO 14028 NTIA min element list is a little different from the framing document list (see attached)
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...>
On Behalf Of Patil, Sandeep via lists.spdx.org
Hi , The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message. |
|||
|
|
|||
|
You’re welcome.
You will most likely need SPDX V2.3 if you have any “FILE” components that need to specify version info. The new PackagePurpose field supports the version info for “FILE” artifacts.
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, May 16, 2022 12:31 PM To: spdx@... Subject: Re: [spdx] SPDX and NTIA SBOM Minimum elements #spdx
Thanks you Dick, This is useful
Caution: This e-mail originated from outside of Philips, be careful for phishing.
NTIA Framing document has the mapping you seek: see page 13 https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf
However the “EO 14028 NTIA min element list is a little different from the framing document list (see attached)
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Hi ,
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message. |
|||
|
|
|||
|
William Bartholomew (CELA)
This is how Microsoft has approached this:
The one thing I’d add is that additional identifiers would be stored in External References.
Regards,
William Bartholomew (he/him) – Let’s chat Principal Security Strategist Global Cybersecurity Policy – Microsoft
My working day may not be your working day. Please don’t feel obliged to reply to this e-mail outside of your normal working hours.
From: spdx@... <spdx@...> On Behalf Of
Dick Brooks via lists.spdx.org
Sent: Monday, May 16, 2022 9:24 AM To: spdx@... Subject: [EXTERNAL] Re: [spdx] SPDX and NTIA SBOM Minimum elements #spdx
NTIA Framing document has the mapping you seek: see page 13 https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf
However the “EO 14028 NTIA min element list is a little different from the framing document list (see attached)
Thanks,
Dick Brooks
Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership
Never trust software, always verify and report! ™ http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788
From: spdx@... <spdx@...>
On Behalf Of Patil, Sandeep via lists.spdx.org
Hi , |
|||
|
|
