FYI: REA publishes the SAG-PM V 1.2 product SBOM in SPDX V2.3 format, if you would like to see another SPDX V2.3 example:
https://raw.githubusercontent.com/rjb4standards/REA-Products/master/SPDX/SAG-PM_SBOM_V1_2.spdx Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of armin.taenzer via lists.spdx.org Sent: Wednesday, February 22, 2023 9:35 AM To: [email protected] Subject: [spdx-tech] Conversion of (multiple) SPDX 2 fileTypes into SPDX 3 contentType Hi all, in the tech team call yesterday we discussed the plausibility of multiple file types and if any SBOMs exist "in the wild" that actually include files with more than one file type. So, here is an example from the bom-shelter (indeed from the folder "in-the-wild"! :D ), generated by syft: https://github.com/chainguard-dev/bom-shelter/blob/cfa2d04268d5c28c601e5386ee723d38914c37dd/in-the-wild/spdx/source-controller_0.21.2_sbom.spdx.json#L7695-L7698 Thus, my question remains: How would I convert multiple SPDX 2 fileTypes into a single SPDX 3 contentType (generically, not just in the example above)? Possible options: - only convert the first fileType and drop the rest - make cardinality of contentType arbitrary (if that is possible) - ...? Best regards! :) Armin -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4986): https://lists.spdx.org/g/Spdx-tech/message/4986 Mute This Topic: https://lists.spdx.org/mt/97160537/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
