In my experience, SBOM’s are specific to a particular vendor, product, version (assuming 3 part semantic versioning) and timestamp. The URI, if using the .well-known construct, will need to accommodate many SBOM’s – perhaps “base” is providing this level of specificity, e.g. https://{hostname}/.well-known/sbom <https://%7bhostname%7d/.well-known/sbom> /Vendor/Product/Version/IamtheTimestampedSBOM.spdx
I tend to think of GitHub as a litmus test for these type of scenarios. “How would this work on GitHub?” Thanks, Dick Brooks <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:d...@reliableenergyanalytics.com> d...@reliableenergyanalytics.com Tel: +1 978-696-1788 From: OPSAWG <opsawg-boun...@ietf.org> On Behalf Of Patrick Dwyer Sent: Wednesday, May 19, 2021 8:26 AM To: Eliot Lear <lear=40cisco....@dmarc.ietf.org> Cc: opsawg <opsawg@ietf.org> Subject: Re: [OPSAWG] Draft-ietf-opsawg-sbom-access-01 Hi Eliot, I think SaaS use cases are a problem for SBOM formats. Not so much for discovery and access. There seems to be some inconsistency with the well known URI. In section 2 "{ORIGIN}/.well-known/sbom/base" In section 4, the MUD YANG model, "https://{hostname}/.well-known/sbom <https://%7bhostname%7d/.well-known/sbom> ". And again in 5.2 But I could be missing something. Pat On Wed, May 19, 2021 at 2:40 AM Eliot Lear <lear=40cisco....@dmarc.ietf.org <mailto:40cisco....@dmarc.ietf.org> > wrote: Hi everyone, This draft corrects some of the YANG and discusses, but does not address a SaaS use case. I don’t think we want to cover that here, but rather that it should be covered in some place like the W3C. Please have a gander. If you don’t like what you see, feel free to propose changes. I’d like to have at least one more version out before our next virtual meeting. Eliot _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org <mailto:OPSAWG@ietf.org> https://www.ietf.org/mailman/listinfo/opsawg
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg