Hi Olivier, On 4/27/26 08:27 AM, Olivier Benjamin wrote: > I would certainly be interested in being able to validate SPDX 3.0 > output.
That shipped in v0.0.6. The short version: Yocto Scarthgap scores 20/50 on the new check because create-spdx-3.0 doesn't emit supplier or per-Package checksums in any form -- field or Relationship. The format detection, CreationInfo, and rootElement checks all pass; it's the 30 per-Package points that are zero. Full details, the scoring breakdown, and a drafted 2-patch series for openembedded-core to fix the emission gap are in the GitHub issue: https://github.com/jetm/shipcheck/issues/3 If you have a Scarthgap or walnascar build with create-spdx-3.0 enabled, I'd be curious what score you see: pip install shipcheck==0.0.6 shipcheck check --build-dir <your-build-dir> The sbom-generation row is the one to watch. Any feedback on the BSI v2.1.0 -> SPDX 3.0 field mapping (committed at audits/0003-spdx3-mapping/mapping.md, marked draft pending review) would also be welcome -- you have more context on how the SPDX community expects BSI's requirements to map to 3.0 constructs. > Not super relevant, but I would dispute the "paperwork regulation" > bit, and one can only gloss over the "scanner-selection" issue if > one assumes that problem already solved. Fair pushback. I was shortcutting. The paperwork framing was meant to highlight the documentation gap, not to minimize the vulnerability- management side of things. -- Javier Tia
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#236749): https://lists.openembedded.org/g/openembedded-core/message/236749 Mute This Topic: https://lists.openembedded.org/mt/118995377/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
