TiberiusDRAIG
commented
1 year ago Is the intention to support only the SPDX format or is there scope for supporting others like CycloneDX?
Open JonDouglas opened 1 year ago
TiberiusDRAIG
commented
1 year ago Is the intention to support only the SPDX format or is there scope for supporting others like CycloneDX?
JonDouglas
commented
1 year ago @TiberiusDRAIG The intention would be to support what sbom-tool supports at this point.
Malcolmnixon
commented
1 year ago With this being removed from the 6.8 milestone:
JonDouglas
commented
1 year ago Don't read into our backlog tagging too much. It just means that we finished our 6.8 release recently.
JonDouglas
commented
3 weeks ago Just so people know, you can go try out the initial SBOM package by following this issue here:
dotMorten
commented
3 weeks ago @JonDouglas This looks cool. I have a native library inside my nuget package, and I do have an sbom for that native library. Is there a way to get that merged in as well?
A SBOM is a nested inventory; a list of ingredients that make up software components.
This epic tracks the work to support providing a SPDX formatted and NTIA compliant SBOM inside of a NuGet package based on the SBOM Everywhere initiative to bring a seamless interoperability end-to-end for security use cases at five major levels of software development:
We will most likely utilize sbom-tool to accomplish this task.
Please 👍 or 👎 this comment to help us with the direction of this epic & leave as much feedback/questions/concerns as you'd like on this issue itself and we will get back to you shortly.
Further tracking issues will be created shortly as requirements are gathered and planned.