vargenau
commented
1 year ago Hi Jari,
Thank you for your comment.
As I understand, “Component Hash” is not a field listed in “The Minimum Elements for a SBOMhttps://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf”. It is present only in the other document listed in SPDX 2.3, “NTIA's Framing Software Component Transparency: Establishing a Common Software Bill of Maternialshttps://www.ntia.gov/files/ntia/publications/framingsbom_20191112.pdf”.
But I agree we might make it mandatory.
Let us discuss it in our next call.
Best regards,
Marc-Etienne
From: Jari Koivisto @.> Sent: Tuesday, May 2, 2023 2:49 PM To: OpenChain-Project/Telco-WG @.> Cc: Subscribed @.***> Subject: [OpenChain-Project/Telco-WG] [Improvement] Package checksum (Component hash) missing from the required fields (Issue #51)
Add checksum to the required fields
NTIA requires in their SBOM minimum fields that there is also a component hash and this seems to be missing in the https://github.com/OpenChain-Project/Telco-WG/blob/main/OpenChain%20Telco%20SBOM%20Specification.md#34-spdx-elements-to-be-included-in-the-sbom section of this spec document.
NTIA fields mapping with SPDX
At least SPDX 2.3 has this table: https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k22-mapping-ntia-minimum-elements-to-spdx-fields (table K.2.2) that shows how NTIA minimum elements map with SPDX fields and there is:
- Component Hash that maps with SPDX (7.10) Package Checksum
— Reply to this email directly, view it on GitHubhttps://github.com/OpenChain-Project/Telco-WG/issues/51, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAC4KKVCXTIXRHNZMIUXNSLXED7FBANCNFSM6AAAAAAXTAAXHI. You are receiving this because you are subscribed to this thread.Message ID: @.**@.>>
winterrocks
Jimmy-ahlberg
Add checksum to the required fields
NTIA requires in their SBOM minimum fields that there is also a component hash and this seems to be missing in the https://github.com/OpenChain-Project/Telco-WG/blob/main/OpenChain%20Telco%20SBOM%20Specification.md#34-spdx-elements-to-be-included-in-the-sbom section of this spec document.
NTIA fields mapping with SPDX
At least SPDX 2.3 has this table: https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k22-mapping-ntia-minimum-elements-to-spdx-fields (table K.2.2) that shows how NTIA minimum elements map with SPDX fields and there is: