This is how Microsoft has approached this: https://devblogs.microsoft.com/engineering-at-microsoft/generating-software-bills-of-materials-sboms-with-spdx-at-microsoft/
The one thing I'd add is that additional identifiers would be stored in External References. Regards, William Bartholomew (he/him) - Let's chat<https://outlook.office.com/bookwithme/user/[email protected]/meetingtype/SVRwCe7HMUGxuT6WGxi68g2?anonymous&ep=mlink> Principal Security Strategist Global Cybersecurity Policy - Microsoft My working day may not be your working day. Please don't feel obliged to reply to this e-mail outside of your normal working hours. From: [email protected] <[email protected]> On Behalf Of Dick Brooks via lists.spdx.org Sent: Monday, May 16, 2022 9:24 AM To: [email protected] Subject: [EXTERNAL] Re: [spdx] SPDX and NTIA SBOM Minimum elements #spdx NTIA Framing document has the mapping you seek: see page 13 https://www.ntia.gov/files/ntia/publications/ntia_sbom_framing_2nd_edition_20211021.pdf<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ntia.gov%2Ffiles%2Fntia%2Fpublications%2Fntia_sbom_framing_2nd_edition_20211021.pdf&data=05%7C01%7Cwillbar%40microsoft.com%7C53e45b4e317648e3cc0c08da37587faa%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637883151066948175%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=NVEDk5uHOo983Ci9RZIHr%2Fd2dR7MKukiM36ulr81xC4%3D&reserved=0> However the "EO 14028 NTIA min element list is a little different from the framing document list (see attached) Thanks, Dick Brooks [cid:[email protected]] [cid:[email protected]] Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report!<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Freliableenergyanalytics.com%2Fproducts&data=05%7C01%7Cwillbar%40microsoft.com%7C53e45b4e317648e3cc0c08da37587faa%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637883151067104406%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eD8vciCRRxUjlilC%2F3DChfADPFjs25YRVe751MQAchU%3D&reserved=0> (tm) http://www.reliableenergyanalytics.com<https://nam06.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.reliableenergyanalytics.com%2F&data=05%7C01%7Cwillbar%40microsoft.com%7C53e45b4e317648e3cc0c08da37587faa%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637883151067104406%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vU7FXwdal5qxhknGWBeLbzR5kH9qAJqRAokcmvBnv88%3D&reserved=0> Email: [email protected]<mailto:[email protected]> Tel: +1 978-696-1788 From: [email protected]<mailto:[email protected]> <[email protected]<mailto:[email protected]>> On Behalf Of Patil, Sandeep via lists.spdx.org Sent: Monday, May 16, 2022 12:10 PM To: [email protected]<mailto:[email protected]> Subject: [spdx] SPDX and NTIA SBOM Minimum elements #spdx Hi , Is there any document reference which can be used to see mapping between SPDX tags and NTIA Minimum elements ? Some element names can be easily confused , something like "Author of SBOM Data" in NTIA Minimum elements and "Creator" tag in SPDX are those same ? Regards Sandeep -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1517): https://lists.spdx.org/g/spdx/message/1517 Mute This Topic: https://lists.spdx.org/mt/91143408/21656 Mute #spdx:https://lists.spdx.org/g/spdx/mutehashtag/spdx Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
