mprpic
commented
3 months ago @twaugh I reworked this to pinpoint a specific RHEL version. This is now essentially an example of a release-time, product-level SBOM that describes a component and the product it belongs to. It only points to the SRPM with the understanding that the https://github.com/RedHatProductSecurity/security-data-guidelines/blob/main/sbom/examples/rpm/openssl-3.0.7-18.el9_2.spdx.json SBOM is the referred component-level SBOM.
This is a mock product-level SBOM that includes a node that represents a product, here a hypothetical RHEL 99.9 that consists of exactly one openssl RPM).
This uses the same style of referencing to other SBOMs as #3, but I'm happy to rework it to use DocumentRef if we choose that as a way to refer to other documents.