Enabling SBOM across repositories #33
Comments
|
There seems to be at least 3 SBOM formats. We probably should decide on which one we want to use first. |
|
SWIDs claim to be an SBOM format but are more of an identifier format, but also not really a great solution there. Realistically the decision really is between SPDX and CycloneDX, though they are mostly interchangeable unless you have a very specific use case. My perspective comes from CNCF TAG Security, work with OpenSSF and work with SPDX community. If folks are interested I can pull in experts to discuss with your community. |
I am interested ✌️, which is this use case you mention above, @mlieberman85? |
This would be great @mlieberman85! |
So the use cases where they're not right now are mostly focused on specific fields that might be in one but not the other. For example there's AI/ML model specific bill of materials fields in CycloneDX released already, and a similar SPDX feature is still being developed. Let me reach out to some of the folks in the community and tag them in this thread. |
|
Adding @puerco who is an expert in the community. |
|
Hello happy to help out! Do you have a tracker of projects that need to build their SBOMs? |
jpkrohling
added
the
sbom
This issue is to capture discussions happening in various SIGs around creating a software bill of materials.
The text was updated successfully, but these errors were encountered: