Thanks Nisha for the response. I have been digging deeper and have realized the same.
A follow-up question – do we see many customers generate and maintain a build SBOM or the source code scan SBOM is the most commonly used one ? CISA talks about 6 SBOM types and to me build SBOM and run time SBOMs look very relevant. But I have not seen these 2 being used too often. Regards, Vishal. From: Nisha Kumar <[email protected]> Sent: Friday, August 9, 2024 7:40 PM To: Vishal Goyal <[email protected]>; [email protected] Subject: Re: [spdx-tech] Validating Build SBOM in SPDX Format #spdx Caution: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Hi Vishal, Most probably the difference comes from transitive dependencies pulled in during the build. Your pom.xml doesn't include those. nisha On 8/5/24 09:08, Vishal Goyal via lists.spdx.org wrote: All, I am looking for some help and guidance from experts on how to validate build SBOMs and check for any false positives. I have used this maven plugin to generate SPDX format build SBOM for an open source Java project (https://github.com/wmichalska/CreditManager) github.com/spdx/spdx-maven-plugin<https://github.com/spdx/spdx-maven-plugin> The build SBOM has around 120 lines. For the same codebase, i generated SBOM by doing source code scan - this has 10 lines. Can someone please advise how to validate the build SBOM ? Thanks, Vishal. DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Ltd. does not accept any liability for virus infected mails. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5695): https://lists.spdx.org/g/Spdx-tech/message/5695 Mute This Topic: https://lists.spdx.org/mt/107734884/21656 Mute #spdx:https://lists.spdx.org/g/Spdx-tech/mutehashtag/spdx Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
