Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add better complete SBOM definitions #36

Merged
merged 1 commit into from
Oct 24, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 12 additions & 3 deletions docs/sbom.md
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,17 @@ When talking about inventories of components, it's also important to describe wh
comprehensive SBOM are:

- Provide a complete and accurate listing of software components and their relationships to each other from a
supply chain perspective.
supply chain perspective:

- For each software component, an SBOM must list its provenance. That is, if the (downstream) component is a
redistributed version of an open source project (upstream), the downstream component must be directly linked
to its upstream counterpart. If an upstream component is augmented in a mirrored repository before being used
in a build of a downstream component, this version of the component (also called a midstream component) must
be recorded as a separate package.

- A manifest must list all components that are included in the final deliverable that can be deployed and run by an
end user. Any software dependencies that are used strictly during the build process must be listed as well, but
separate from the runtime dependencies.

- Define an accurate identification of components and products usable across all published security data.

Expand Down Expand Up @@ -484,8 +494,7 @@ relationship to architecture-specific RPMs can be represented with:
```

SRPMs are also linked to one or more upstream sources that were used to build the downstream RPMs. An upstream

Upstream source:
source can be represented by a package object using the following data:

=== "SPDX 2.3"

Expand Down
Loading