Historically, bom has maintained its internal SPDX model, including an SPDX tag-value import and export and JSON types to read and write spdx-json. We should offload the ingestion and SPDX serialization to protobom which is a project started for that exact purpose.
Why is this needed:
There is no need to handle the format-specific code in bom, we should focus on goog UI that lets us describe our releases properly, integration with our release tooling and other CI/CD infrastructure.
What would you like to be added:
Historically,
bomhas maintained its internal SPDX model, including an SPDX tag-value import and export and JSON types to read and write spdx-json. We should offload the ingestion and SPDX serialization to protobom which is a project started for that exact purpose.Why is this needed:
There is no need to handle the format-specific code in bom, we should focus on goog UI that lets us describe our releases properly, integration with our release tooling and other CI/CD infrastructure.