Alexios,
Regarding this assertion, “having a value of NOASSERTION as packageVersion means that the SBOM including this does NOT meet NTIA’s minimum requirements” I disagree with this assertion, Alexios. The NTIA SBOM framing document provides guidance with regard to missing data: SBOMs must gracefully handle cases of missing or non-applicable attributes. A basic recommendation is to always provide all of the baseline attributes but explicitly define values that differentiate between “no assertion” (i.e., data is missing), and “no value” (i.e., the attribute is not applicable for this specific SBOM). Alternatively, an SBOM format can permit missing baseline attributes and treat them as default values (i.e., “no assertion” or “no value”). Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Eliot Lear Sent: Monday, August 21, 2023 9:33 AM To: Alexios Zavras <[email protected]>; Gary O'Neall <[email protected]>; [email protected] Cc: [email protected]; 'SPDX Technical Mailing List' <[email protected]>; 'Emrick Donadei' <[email protected]>; 'Tyler Pirtle' <[email protected]> Subject: Re: [spdx-tech] NOASSERTION on PackageVersion field So I know the following is the case: On 21.08.23 12:05, Alexios Zavras wrote: Regardless of this, I hope that we all agree that having a value of NOASSERTION as packageVersion means that the SBOM including this does NOT meet NTIA’s minimum requirements. I do wonder if people will get around this by simply Making Stuff Up. Not suggesting that as an approach, mind you. Eliot -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5313): https://lists.spdx.org/g/Spdx-tech/message/5313 Mute This Topic: https://lists.spdx.org/mt/100823660/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
