Hi, At least from the discussion thus far, with the discovery mechanism in draf-ietf-opsawg-sbom-access there is currently only a need to retrieve a single SBOM. According to both SPDX and CycloneDx folk, they have sufficiently internalized any additional references. CycloneDx can point directly to a URL, whereas with SPDX one further resolution before you get there. I can’t say at this stage which is better, but from this draft’s perspective, its job is done either way, once the JSON extension is read and the initial SBOM is located.
Eliot
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg