First off, if any of you have not seen the current User Scenarios document, I encourage you to take a look. Philippe-Emmanuel has done a terrific job creating example SBOMs in both JSON and XML format. Thank you so much, Philippe-Emmanuel! I do have one small organizational nit, would it be possible to move the example files to the User Scenarios folder (they are currently in the modeling folder)?
Second, I want to raise the topic (again) of evaluating SPDX 3.0 as an option for our SBOM standard. I want to keep an open mind, and encourage this from us all as we are learning. SPDX has a long history, including adoption by a number of efforts. For example, Microsoft is working to import/export SPDX as part of the Clearly Defined effort. And the Black Duck Hub product generates SPDX as part of its BOM output.
I understand that SPDX 2.x is both too much and too little to meet the needs of our scenarios. To address this, William Bartholomew has made a proposal to the SPDX technical team for an SBOM-friendly SPDX 3.0. This was well received by the SPDX team.
I would like for us, as a group, to outline at least two options (our current model, the SPDX 3.0 proposal, and possibly others) for consideration, and clearly articulate the pros and cons of each. With a clear understanding of the specific advantages and shortcomings of each model, we can move forward to identify issues and unknowns, gather data, and address issues. Our goal is to arrive on a single, shared point of view.
I am interested in thoughts from others. If there is agreement, I can work with William, Kate, Gary, Phillippe-Emmanuel and others who are interested to create a comparison document.