Gary O'Neall
Gary O'Neall
@CASTResearchLabs thanks for the additional explanation.
This seems like a straightforward approach. It is something we would need to document. I would also suggest calling it something other than a document checksum so that it isn't...
@iamwillbar any thoughts on the proposal?
SPDX has an additional class of ExternalDocumentRef and properties to manage the relationship between documents in a secure manner. SBOM takes a different approach which is structurally incompatible with the...
> second one is to have an "AbstractDocument" class with two specializations, the current "Document" class and a new "ExternalDocumentRef" class, and change the "referenceDocument" attribute defition to be of...
Looks good structurally, left a couple detail comments in the PR that, if accepted, would help compatibility.
@stevespringett Thanks for the high assurance environment perspective. I think the two approaches are compatible since you can always create a new SBOM and bring in all the elements you...
I ran into the same issue. I just created a PR #128 which works for me.
Super excited to see this RFC - Thanks @bdehamer for proposing this! > validation tools, that can confirm that a generated SBOM is valid Just for reference, we do have...
For SPDX validation, I would recommend either the [online tools validate function](https://tools.spdx.org/app/validate/) or the [tools-java command line utility Verify command](https://github.com/spdx/tools-java#verifier). In addition to the schema validation, it validates some of...