Hello all,
Continuing the conversation here...
Gary, I wouldn't say that an SBOM is an XML transformation of a POM.
CycloneDX, for example, can contain information not in a POM, such as
license information, service relationships, and vulnerabilities [1].
The component identifiers used are also
I hesitate to weigh in because I am not going to be doing any of the work,
but I think it's useful to consider what you're trying to accomplish with
SBOM. I used to spend a lot of time in the SBOM space.
If it's license compliance, SPDX makes a lot of sense. It was built from
the ground up to be