On 22/10/2023 11:50, Bruno Kinoshita wrote:
Starting to provide a format, then stopping, is not very helpful.
CycloneDX is easier to produce and has more uptake in ASF.
I had a look but couldn't find anything conclusive on which format works
best for the EU Cyber Resilience Act.
CRA is a lot of other issues for open source :-(
GitHub is exporting SPDX I think:
https://github.blog/2023-03-28-introducing-self-service-sboms/
Useful.
Now we have two to choose between :-)
As indented JOSN they are:
SPDX plugin:
1,516,541 chars
GH generated : gh sbom | jq
626,773 chars
Andy
You can create one for Jena from
https://github.com/apache/jena/network/dependencies and that will give you
an SPDX JSON.
Combining SPDX with RAT could be useful.
#TIL! I think RAT had/has some older issues (can't recall if in the tool,
maven plugin, or both) but had a low activity. Maybe with that there will
be more commits/releases.
Links I have found useful:
Thanks for the links to external and ASF material! Someone shared links in
the Commons security list too about SBOM discussing VEX files (OSV was also
mentioned):
- https://www.cisa.gov/sbom
-
https://www.cisa.gov/sites/default/files/2023-04/minimum-requirements-for-vex-508c.pdf
- https://github.com/openvex (
PS SPDX can be RDF!, and in fact the maven plugin uses Jena!
Jena 3.10.0 :-(
Maybe we can ping someone that maintains it, or even send a PR to bump it
to Jena 4, warning that there will be a jena5 soon too.
Cheers,
Bruno
