-
Notifications
You must be signed in to change notification settings - Fork 294
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable ORT to generate CycloneDX 1.6 SBOMs #8505
Comments
Edit: Now blocked by CycloneDX/cyclonedx-core-java#408 and CycloneDX/cyclonedx-core-java#409. |
Resolved by #8645, though as discussed in the ORT community meeting, ORT sticks to writing CycloneDX 1.5 by default until there is wider adoption for CycloneDX 1.6. Users can customize the CycloneDX schema version via the reporter-specific |
Enabling generation of CycloneDX 1.6 SBOMs will be useful for license compliance as 1.6 supports both concluded and declared licenses. We should make a decision on which SBOM spec version we going to support - ideally develop a option for users to able to select a specific spec version such as CycloneDX [1.4, 1.5 or 1.6] or SPDX [2.2, 2.3 or 3.0]
See also
CycloneDX/specification#407
https://github.com/CycloneDX/specification/blob/1.6-dev/schema/bom-1.6.proto
https://github.com/CycloneDX/specification/blob/1.6-dev/schema/bom-1.6.schema.json
https://github.com/CycloneDX/specification/blob/1.6-dev/schema/bom-1.6.xsd
The text was updated successfully, but these errors were encountered: