NTIAのminimal elementsを満たしていない可能性がある．

[KAWAHARA-souta]

alma-sbomで生成したSBOMをntia-pcheckerに通すと以下のとおり．

$ ntia-checker --file /mnt/NFS-fedora38/sbom-data/kernel-5.14.0-284.30.1.el9_2.x86_64.mayfixed.spdx.json

Is this SBOM NTIA minimum element conformant? False

Individual elements                            | Status
-------------------------------------------------------
All component names provided?                  | True
All component versions provided?               | True
All component identifiers provided?            | True
All component suppliers provided?              | False
SBOM author name provided?                     | True
SBOM creation timestamp provided?              | True
Dependency relationships provided?             | True

SPDX2.3のsupplierフィールドについては以下のとおり． https://spdx.github.io/spdx-spec/v2.3/package-information/#75-package-supplier-field

[KAWAHARA-souta]

誤検知というか，試行錯誤中で中途半端なSBOMを読み込ませていた． supplierフィールドはSBOMに入っているので問題なし．

$ ntia-checker --file /mnt/NFS-fedora38/sbom-data/kernel-5.14.0-284.30.1.el9_2.x86_64.spdx.json

Is this SBOM NTIA minimum element conformant? True

Individual elements                            | Status
-------------------------------------------------------
All component names provided?                  | True
All component versions provided?               | True
All component identifiers provided?            | True
All component suppliers provided?              | True
SBOM author name provided?                     | True
SBOM creation timestamp provided?              | True
Dependency relationships provided?             | True