FYI on a related activity: The OpenC2 TC is planning a proof-of-concept event for retrieving SBoM data to make network access control decisions. There will be an online interoperability testing event sometime in late August leading up to a possibly in-person event (depending on public health status) at TTD ( https://techtransferdays.org/) in late October.
The PoC description (work in progress) is available at https://github.com/oasis-tcs/openc2-usecases/tree/master/SBOM-PoC. One thing I don't have a good handle on is how an SPDX document is used to make decisions about the subject of that document (i.e., if a device has software with a collection of N licenses, are there examples of policies that evaluate the SPDX doc to decide whether the device is "good" or "bad"?) Any pointers to SPDX-based decision-making would be appreciated. Thanks, Dave Kemp -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#3892): https://lists.spdx.org/g/Spdx-tech/message/3892 Mute This Topic: https://lists.spdx.org/mt/75360942/21656 Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
