Thanks Nisha for the response. I have been digging deeper and have realized the 
same.

A follow-up question – do we see many customers generate and maintain a build 
SBOM or the source code scan SBOM is the most commonly used one ?

CISA talks about 6 SBOM types and to me build SBOM and run time SBOMs look very 
relevant. But I have not seen these 2 being used too often.

Regards,
Vishal.

From: Nisha Kumar <[email protected]>
Sent: Friday, August 9, 2024 7:40 PM
To: Vishal Goyal <[email protected]>; [email protected]
Subject: Re: [spdx-tech] Validating Build SBOM in SPDX Format #spdx

Caution: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.


Hi Vishal,

Most probably the difference comes from transitive dependencies pulled in 
during the build. Your pom.xml doesn't include those.

nisha
On 8/5/24 09:08, Vishal Goyal via lists.spdx.org wrote:
All,

I am looking for some help and guidance from experts on how to validate build 
SBOMs and check for any false positives.

I have used this maven plugin to generate SPDX format build SBOM for an open 
source Java project (https://github.com/wmichalska/CreditManager)

github.com/spdx/spdx-maven-plugin<https://github.com/spdx/spdx-maven-plugin>

The build SBOM has around 120 lines. For the same codebase, i generated SBOM by 
doing source code scan - this has 10 lines.
Can someone please advise how to validate the build SBOM ?

Thanks,
Vishal.

DISCLAIMER
==========
This e-mail may contain privileged and confidential information which is the 
property of Persistent Systems Ltd. It is intended only for the use of the 
individual or entity to which it is addressed. If you are not the intended 
recipient, you are not authorized to read, retain, copy, print, distribute or 
use this message. If you have received this communication in error, please 
notify the sender and delete all copies of this message. Persistent Systems 
Ltd. does not accept any liability for virus infected mails.


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5695): https://lists.spdx.org/g/Spdx-tech/message/5695
Mute This Topic: https://lists.spdx.org/mt/107734884/21656
Mute #spdx:https://lists.spdx.org/g/Spdx-tech/mutehashtag/spdx
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-


Reply via email to