Hello SPDX tech, How would one begin to track compliance attestations in SPDX 3.0? Can we model information as to evidences for compliance to SSDF controls? Currently the EO is requiring SW providers to self-attest to SSDF practices (https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-attesting), and then provide the SBOM as a companion artifact. Does SPDX allows embedding an attestation in the SBOM itself before signing?
Thanks, Rose -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5112): https://lists.spdx.org/g/Spdx-tech/message/5112 Mute This Topic: https://lists.spdx.org/mt/98484102/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
