Here is another nomenclature question for our group. I was talking with Kate Stewart (Linux Foundation, SPDX) this afternoon. We were discussing what to call the ‘target’ or ‘object’ of an SBOM. In other words, what is the ‘thing’ an SBOM describes. We think the ‘thing’ is broad, where it may span the following:
Kate mentioned that in SPDX today the ‘thing’ is an ‘element’. (Not a ‘package’ – Philippe-Emmanuel, we may have been mapping to the wrong SPDX element).
I propose that for the SBOM we call the ‘thing’ an ‘artifact’. This has the following implications:
Does this work? Thoughts?