If you haven't looked at the G7 SBOM fields list. circulated on SPDX-AI slack. how they have categorized the fields needed for AI, Physical/hardware, security,etc. I really like. When I did a mapping to SPDX, that's when it getting confusing. For example, not all AI needed fields are in the AI profile, as you say in Core,etc. But as a creator of an SPDX SBOM, I don't want to know where all the fields live in which profiles. Yes, automated tool helps, but I need to validate that it created the SBOM correctly. It would be great to create a front end tool, that I say all the AI fields that I'm capturing and then a tool creates the SPDX AI=BOM JSON. @bob, when we did the procurement mapping to SPDX, I was thinking a Procurement UI would have helped the procurement groups. John C gave a great presentation last week to COSINE on how to create an AI BOM (unfortunately, he used the CDX method ) but it was simple and easy to understand. That's what we need for SPDX IMHO. To me, the use cases or whatever we call it, is sample code that a developer can copy and paste, it's not so much as the fields, it's more about how to fill in the fields. Just my two cents.
On Monday, May 18, 2026 at 02:08:11 p.m. EDT, Martin, Robert A via lists.spdx.org <[email protected]> wrote: Agreed - but we can’t just talk about software either… Bob From: Philip Odence <[email protected]> Date: Monday, May 18, 2026 at 2:06 PM To: Robert A Martin <[email protected]>; [email protected] <[email protected]> Subject: [EXT] Re: SPDX outreach - ideas for outreach stories This Message Is From an External SenderThis message originates outside of MITRE. If you feel this is suspicious, please report it via "Report Suspicious Email" button in Outlook. Thanks, Bob. Sorry to get all semantic on you again, but I would be careful with the term "business case.” That typically refers to an economic justification for a course of action. Let me take a shot at clarifying my thinking. - A profile is a set of fields that are necessary to describe a particular software area of interest. - Profile use cases are high level and illustrate a particular area or aspects of that area. - However, while a profile contains necessary fields, it likely doesn’t include fields to fully do the job for that area. - Most areas will require, in addition to the profile, the fields from the Core and Software foundational profiles. - And they may require profiles from other areas. - It is also the case that a BOM might incorporate multiple areas. So different mixes of profiles are possible. - Usage examples, describe broadly and in detail, how a set of SPDX profiles may be used address a particular business problem. From: [email protected] <[email protected]> on behalf of Martin, Robert A via lists.spdx.org <[email protected]> Date: Monday, May 18, 2026 at 9:36 AM To: [email protected] <[email protected]> Subject: SPDX outreach - ideas for outreach stories Idea Area 1: Architecture of SPDX Profiles and their Use for capturing and conveying real systems Graphs and Simple BOMs - their use for enterprise analysis and real-time decisions Idea Area 2: Explain how to use SPDX to describe business cases / usage scenario Areas of Interest - explain how to use the various profiles to create a useful SPDX file How to create a page or two that explains the mix needed - look at https://spdx.dev/learn/areas-of-interest/ai/ Bob -- Robert (Bob) MartinSr. Software and Supply Chain Assurance Principal Eng.Cyber Integration and Innovation Cell DepartmentCyber Engineering DivisionCenter for AI, Cyber & DigitalMITRE Technology & EngineeringMITRE Corporation781-271-3001o781-424-4095c -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1492): https://lists.spdx.org/g/Spdx-outreach/message/1492 Mute This Topic: https://lists.spdx.org/mt/119372742/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-outreach/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
