Standard documents to share sbom report among supply chain


DR
 

Hi Shane & all,

I have a question.

Is there are standard documents required to share sbom contained OSS IP details for 2 Main cases.
Case 1: Docx or pdf OSS report to be shared along with our direct product or services
Case 2: Excel or other format to share oss details among Tier n's (Tier 1, Tier 2 ... etc & OEM) so that OEM can collate & use documents from Case 1. (or spdx)

I searched here not sure where to get them.. (Tracing a doc is little tough)



Please help if it's already there...

Thanks
Dinesh




 

Hi Dinesh!

= Everyone else ==
I advise everyone to check out the full discussion here:
https://github.com/OpenChain-Project/Reference-Material/issues/6
== Back to Dinesh ==

We actually have a solution in the market that sounds like it suits your use-case of - basically - an Excel software bill of materials. It is called “SPDX Lite” and it is an optional component of SPDX 2.2. It was created by Japanese companies like Hitachi, Toshiba and Fujitsu for precisely the use case you mention.

You can read about it here:
https://spdx.github.io/spdx-spec/appendix-VIII-SPDX-Lite/

It is very short, compact and effective for human readability.

Regards

Shane

On May 20, 2021, at 15:24, DR <dineshr93@gmail.com> wrote:

Hi Shane & all,

I have a question.
Is there are standard documents required to share sbom contained OSS IP details for 2 Main cases.
Case 1: Docx or pdf OSS report to be shared along with our direct product or services
Case 2: Excel or other format to share oss details among Tier n's (Tier 1, Tier 2 ... etc & OEM) so that OEM can collate & use documents from Case 1. (or spdx)

I searched here not sure where to get them.. (Tracing a doc is little tough)


raised an ticket here https://github.com/OpenChain-Project/Reference-Material/issues/6

Please help if it's already there...

Thanks
Dinesh