Re: [spdx] SPDX Generator with RefIDs and package hierarchy

Dick Brooks Thu, 16 Mar 2023 09:01:17 -0700

Richard,

        REA has effectively used SPDX and CycloneDX SBOM formats to conduct 
software supply chain risk assessments since 2021. I suggest using the latest 
SPDX SBOM version, 2.3.


Thanks,

Dick Brooks
  
Active Member of the CISA Critical Manufacturing Sector, 
Sector Coordinating Council – A Public-Private Partnership

Never trust software, always verify and report! ™
http://www.reliableenergyanalytics.com
Email: [email protected]
Tel: +1 978-696-1788

-----Original Message-----
From: [email protected] <[email protected]> On Behalf Of Richard Hughes
Sent: Thursday, March 16, 2023 11:57 AM
To: [email protected]
Subject: Re: [spdx] SPDX Generator with RefIDs and package hierarchy

On Thu, 16 Mar 2023 at 14:40, <[email protected]> wrote:
> but we're also looking to support SPDX as well.

Is SPDX actually useful as an SBoM specification? I tried to add support into 
uSWID a few months ago and it was totally underspecified compared to SWID.

Richard.








-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#1639): https://lists.spdx.org/g/spdx/message/1639
Mute This Topic: https://lists.spdx.org/mt/97504626/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Re: [spdx] SPDX Generator with RefIDs and package hierarchy

Reply via email to