Open codeboten opened 7 months ago
There seems to be at least 3 SBOM formats. We probably should decide on which one we want to use first.
SWIDs claim to be an SBOM format but are more of an identifier format, but also not really a great solution there. Realistically the decision really is between SPDX and CycloneDX, though they are mostly interchangeable unless you have a very specific use case. My perspective comes from CNCF TAG Security, work with OpenSSF and work with SPDX community.
If folks are interested I can pull in experts to discuss with your community.
SWIDs claim to be an SBOM format but are more of an identifier format, but also not really a great solution there. Realistically the decision really is between SPDX and CycloneDX, though they are mostly interchangeable unless you have a very specific use case. My perspective comes from CNCF TAG Security, work with OpenSSF and work with SPDX community.
If folks are interested I can pull in experts to discuss with your community.
I am interested :v:, which is this use case you mention above, @mlieberman85?
If folks are interested I can pull in experts to discuss with your community.
This would be great @mlieberman85!
SWIDs claim to be an SBOM format but are more of an identifier format, but also not really a great solution there. Realistically the decision really is between SPDX and CycloneDX, though they are mostly interchangeable unless you have a very specific use case. My perspective comes from CNCF TAG Security, work with OpenSSF and work with SPDX community. If folks are interested I can pull in experts to discuss with your community.
I am interested ✌️, which is this use case you mention above, @mlieberman85?
So the use cases where they're not right now are mostly focused on specific fields that might be in one but not the other. For example there's AI/ML model specific bill of materials fields in CycloneDX released already, and a similar SPDX feature is still being developed.
Let me reach out to some of the folks in the community and tag them in this thread.
Adding @puerco who is an expert in the community.
Hello happy to help out! Do you have a tracker of projects that need to build their SBOMs?
This issue is to capture discussions happening in various SIGs around creating a software bill of materials.