Closed KAWAHARA-souta closed 8 months ago
誤検知というか,試行錯誤中で中途半端なSBOMを読み込ませていた. supplierフィールドはSBOMに入っているので問題なし.
$ ntia-checker --file /mnt/NFS-fedora38/sbom-data/kernel-5.14.0-284.30.1.el9_2.x86_64.spdx.json
Is this SBOM NTIA minimum element conformant? True
Individual elements | Status
-------------------------------------------------------
All component names provided? | True
All component versions provided? | True
All component identifiers provided? | True
All component suppliers provided? | True
SBOM author name provided? | True
SBOM creation timestamp provided? | True
Dependency relationships provided? | True
alma-sbomで生成したSBOMをntia-pcheckerに通すと以下のとおり.
SPDX2.3のsupplierフィールドについては以下のとおり. https://spdx.github.io/spdx-spec/v2.3/package-information/#75-package-supplier-field