shanecoughlan
commented
2 years ago Our current definition is:
2.12 - Software Bill of Materials (SBOM) A structured format such as SPDX ISO/IEC 5962:2021 that allows the exchange of information for a software package, including associated license, copyright information and Known Vulnerabilities.
Our definition of an SBOM is admittedly larger than a security-only scoped SBOM, but the "ask" inside our specification is limited to leveraging the SBOM for the purposes of security. This would appear to fit into the current scoping of ISO/IEC standards or de facto SBOM standards in the domain (which we want to encourage use of), while not actually asking our demographic to use the relevant SBOM outside the scope of security inside the activity of applying our specification.
From Chris Wood regarding 2.0 RC1 "Would make sense to define the SBOM as all of the supplied software while clarifying that compliance with this specification only requires tracking and vulnerability remediation activities for the OSS components. That would enable it to fit well into a broader software supply chain security effort.”