Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Or tag-value, which is actually preferred by many practitioners. Nesting is implicit in that format, but SBOMs should be mostly flat, anyway.

Unfortunately, T-V hs been dropped in SPDX 3.0.



It was dropped exactly because it was flat and it was becoming completely unmanageable.

SPDX v3 is based on a graph model that can represent hierarchies natively. It can then be serialized in a file, for example, in JSON format.


But it was the best format for manually creating an SBOM.

Most SBOM use cases don‘t need the ability to put your detailed software architecture in the SBOM.


"manually creating an SBOM" is a much lower priority requirement than "easily, accurately, and completely creating an SBOM".

The whole idea is to use specific libraries to produce and consume SBOMs.

You wouldn't expect people to "manually create" JPG images, would you?


I would expect people to do a lot of manual work in SBOM and licensing, yes. Because that‘s we do now.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: