Daniel Nebenzahl

Thank you for the elaborated answer. A few follow-ups: **Regarding the technical aspect of the issue:** >To represent this in CycloneDX you would simply have an external reference of type...

Hi, I'm not sure this is the right place, but I'll give it a shot; [Above](https://github.com/slsa-framework/slsa/issues/362#issuecomment-1098226347) @mlieberman85 qouted the following from the standard: > The output artifact hash from [Identifies...

Thanks for the prompt responses. Sorry, but I'm not convinced; The assumption behind "service generated provenance" is that user-script generated provenance is not trustworthy enough. An attacker that can determine...

Did you mean to add the cpe as a qualifier pkg:npm/[email protected]?cpe=cpe2.3 : a : foobar :*:*:*:* (added spaces to by pass the 🅰️ icon) Sounds a great idea to me

As I see it there are two issues that got mixed up here: 1. Who should attest to the built artifact hash. The current definition [here](https://slsa.dev/spec/v0.1/requirements#identifies-artifact) is that that build...

A few examples to relationships that could be useful: 1. component C is a dependency of B which is a dependency of A. it could be useful to have the...

Hope it is ok to wake up this dormant issue; I would like to suggest having annotations for the build service: * URL to workflow or pipeline (this should work...

Hi, Not sure this is the right place - please redirect me if not. Wanted to note that there is already an ecosystem of tools that are starting to break...

What I mean by backward compatible: I suppose Trivy does not check the spec version, but it was probably tested on some version - I guess 1.4. They assume that...

@stevespringett , what do you think of the suggestion above, that could provide the same values of the new ```tools``` section without any change to CycloneDX1.4 ? Could it indeed...