-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unique SPDXID comply with NTIA Minimume Elements requirements #48
Comments
Other Unique Identifiers details from NTIA minimum elements Definition
More details
The above points indicate that presence of any of these identifiers would be enough. I then decided to re-read https://www.ntia.gov/files/ntia/publications/sbom_formats_survey-version-2021.pdf That indicates for the other unique identifiers we should only be checking SPDXID + namespace for SPDX and serial number for CycloneDX Wondering if this should be a waterfall check of ids, or just the presence check of serialnumber & spdx+namespace Lets discuss this more, before changing it. |
Getting documentation in accordance with changes at issue #48
sbomqs
uses the presence of CPE/PURL to check for 'Other unique identifiers' requirements. However, after discussing it with Kate Stewart here, it is clear that SPDXID alone can satisfy that criterion for the SDPX.Let us change
sbomqs
towards the original intent.The text was updated successfully, but these errors were encountered: