-
**What happened**:
Given a simple CycloneDX SBOM:
```
{
"bomFormat": "CycloneDX",
"specVersion": "1.6",
"components": [
{
"type": "library",
"name": "somelib"
}…
-
### What is your suggestion?
Bazel's sbom generator (rules_license) requires that package build files contain a number of declarations to teach bazel about name, package url, license, etc. Could co…
-
For a CycloneDX SBOM (v1.4 to v1.6) you can report a component in the "metadata" section (header) in addition to the "components" section (details). This component represents "The component that the B…
-
## Time
10 AM ET, 3PM GMT
## Untracked attendees
- Fullname, Affiliation, (optional) GitHub username
- ...
## Meeting notices
- FINOS **Project leads** are responsible for observing the FIN…
-
Example - cncf-3.keycloack has project licenses like `Apache-2.0 (ASF header)` which are not valid.
This can be worked around by creating a LicenseRef for project licenses, but it would be much bet…
-
what version of CycloneDX are our SBOMs? What would it take to get current?
Once CDX up to date, what version of SPDX?
-
Sbomqs is currently not validating the sbom against the official schema for cyclonedx or spdx. This validation should be added to give a better picture of the sbom.
reference: https://github.com/D…
-
Component.licenses has this text "EITHER (list of SPDX licenses and/or named licenses) OR (tuple of one SPDX License Expression)"
It is not made clear what a list of licenses means.
There are at leas…
-
## Summary
I started spdx-sbom-generator (current version), to generate an SBOM.
I can't detext the current version with `spdx-sbom-generator --version` (command not defined yet).
I got the outp…
-
[//]: # (Copyright Siemens AG, 2021. Part of the SW360 Portal Project)
[//]: # (This program and the accompanying materials are made)
[//]: # (available under the terms of the Eclipse Public License…