-
**Description**
According to [IANA registered](https://www.iana.org/assignments/media-types/application/spdx+json ), the mediatype for spdx JSON documents should be `application/spdx+json`
Curre…
-
Even though we are setting the verbosity to values like Warning, Fatal or Error, we still see the `information` logs:
```powershell
##[information]Finished execution of the Generate workflow SBOMT…
-
### Description
Reports
a. More reports which do not include files marked as irrelevant into the reports, or allow the user to make a selection to include/exclude irrelevant files for all…
-
Suggestion to add the following information from the SPDX 2.3 spec:
> If the creator does not own their own website, a default SPDX CreatorWebsite and PathToSpdx can be used spdx.org/spdxdocs. Note…
-
Current `vet` supports writing simple policies to block packages with licenses identified by the SPDX code e.g. `GPL-2.0`. However, background knowledge is required to identify permissiveness of diffe…
-
In our build setup, we use some internal dependencies that are published in an internal Maven repository hosted on S3. The configuration for these repositories looks like this [1]:
```
maven {
…
-
Converting between SPDX (JSON) format to CycloneDX (JSON or XML) does not seem to work. To test it I:
1) Downloaded an SPDX file from Gitub as a sample Firefox
2) Downloaded the latest CLI tool
3…
-
hi,
is this project maintained?
is it possible to make this work with Yocto generated SBOMs? i have a demo using the action in https://github.com/mischief/spdx-sbom-test, with an SBOM generated …
-
I couldn't find any issue tracking this but please enlighten me if that is the case. Has there been any thoughts on creating a tool for gathering the license info and creating a BOM in the SPDX format…
mnil updated
11 months ago
-
Consider the following text:
```
SPDX-License-Identifier: (GPL-2.0+ OR BSD)
```
Here `BSD` is not a valid license expression and even adding a rule is insufficient because the `SPDX-License-Iden…