I can vouch for Surendra’s team – they are great to work with and are very talented software engineers; easy to work with.
Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ https://businesscyberguardian.com/ Email: [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Surendra Pathak Sent: Friday, June 21, 2024 7:12 PM To: [email protected] Subject: Re: [spdx] Validating SPDX files - looking for a tool > I have a question, though. Why didn't you list sbomqs as the first item? We are passionate supporters of the community, and within SPDX, members have done a good job of maintaining ntia-conformance-check, so they should definitely get the credit first. Our goal with sbomqs has been cross-spec, multi-purpose utility, and we will continue to iterate with new features. Thanks for your support. If you have a feature request, we are all ears. > I see. Well, if I don't find local CLI tools, I'll try to find a way to use > an online API. If you do consider API route, Interlynk platform is fully accessible via API and supports - assessment, enrichment, vulnerability mapping, lifecycle, automated edits, and a ton more. Our goal has been to take operators' minds off of spec-specific details and more into their use cases - Security, Compliance, or DevOps. I can show it in action if you do go down that route. Thanks! - Surendra On Fri, Jun 21, 2024 at 2:53 PM Luis Soeiro via lists.spdx.org <http://lists.spdx.org> <lfl.sb <http://lfl.sb> [email protected] <mailto:[email protected]> > wrote: Hi Surendra Em 2024-06-21 22:57, Surendra Pathak escreveu: > If you are looking for validation against spec - > https://github.com/spdx/tools-python is the best (might need getting > used to with the result of the format) Yes, that's what I'm looking for, > If you are looking for NTIA / Regulatory confirmation, the options are > - > a) https://github.com/spdx/ntia-conformance-checker > b) https://github.com/interlynk-io/sbomqs > c) https://github.com/eBay/sbom-scorecard > d) https://github.com/anthonyharrison/sbomaudit I'll take a look. The NTIA regulatory confirmation tools validate for the mimimum fields? > Of course, I am biased towards our tool - sbomqs, and we have also kept > it up to date with new regulations such as BSI's SBOM requirements. Ok. I've been using sbomqs and it is a nice tool. I wanted to see if there were anything official or the would be officially recommended. I have a question, though. Why didn't you list sbomqs as the first item? > However, all of the above tools work well in listing conformance > issues. Thanks for the list. I'll take a deeper look. Best, Luis -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1868): https://lists.spdx.org/g/spdx/message/1868 Mute This Topic: https://lists.spdx.org/mt/106803276/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
