On Tue, Jul 12, 2022 at 9:49 AM David Kemp via lists.spdx.org <dk190a=
[email protected]> wrote:
> A transfer unit could contain two Packages and one Relationship:
>
> [ {Package1}, {Package2}, {Relationship1} ]
>
> and it could also contain an SBOM element (subtype of Document/Bundle)
> describing itself, which allows other SBOMs to find the artifactURL of the
> file and reference the element values it contains:
>
> [ {Package1}, {Package2}, {Relationship1}, {SBOM} ]
>
> * Without the SBOM Element, the transfer unit file contains just three
> elements, to be edited in a tool, transferred, archived or whatever.
> * With the SBOM Element, the file containing the four elements can be
> referenced by other SBOMs:
>
Most importantly, if a transfer unit with the three elements exists
somewhere (e.g., in a GitHub repo), someone can create an SBOM with just
one element that references those three elements: The SBOM element allows
the artifactURL and the three elements in the file at that URL to be
represented in the model store.
[ {Package1}, {Package2}, {Relationship1} ]
[ {SBOM} ]
Dave
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4651): https://lists.spdx.org/g/Spdx-tech/message/4651
Mute This Topic: https://lists.spdx.org/mt/92327773/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
