shanecoughlan
commented
3 weeks ago As per 2024-11-05, proposal raised by Chris to find a specification definition of SBOM, which allows people to find their own path to a market solution. This infers a search to be undertaken by the Spec Committee to find such a specification or give multiple examples.
"Currently approved" SBOM specifications? Etc. Needs more review. CRA is a key point to review.
= Discussion progressed =
One option - skipping ahead without a longer process - is to remove the middle sentence and proceed as follows:
2.15 - software bill of materials (SBOM)
a “Software Bill of Materials” (SBOM) is a inventory for software, a list of ingredients that make up software components. Regardless of the SBOM specification used, it should follow a complete profile for the intended use case.
= Final decision of group on 2024-11-05 =
All in favor of:
2.15 - software bill of materials (SBOM)
a “Software Bill of Materials” (SBOM) is a inventory for software, a list of ingredients that make up software components. Regardless of the SBOM specification used, it should follow a complete profile for the intended use case.
A topic raised during the meeting of 2024-09-03, and perhaps out-of-bounds for the Public Comment period, but may be an issue to have for (a) the next iteration or (b) an adjustment that would move us into a second potential Public Comment period.
We say:
2: Terms, Definitions and Examples
2.15 - software bill of materials (SBOM)
a “Software Bill of Materials” (SBOM) is a inventory for software, a list of ingredients that make up software components. An example is the (Software Package Data Exchange) SPDX specification created by the Linux Foundation's SPDX Project to exchange bill of materials for a given software package (see spdx.org). Regardless of the SBOM specification used, it should follow a complete profile for the intended use case.
However, SPDX has changed its name, called itself "System" instead of "Software" from 3.0 onward.
How should we address this? One option is to reference a precise version of the SPDX Specification, for example V2.2.1, which is what became ISO 5962:2021.