Enable ORT to generate CycloneDX 1.6 SBOMs #8505
Labels
Comments
tsteenbe
added
enhancement
|
Edit: Now blocked by CycloneDX/cyclonedx-core-java#408 and CycloneDX/cyclonedx-core-java#409. |
|
Resolved by #8645, though as discussed in the ORT community meeting, ORT sticks to writing CycloneDX 1.5 by default until there is wider adoption for CycloneDX 1.6. Users can customize the CycloneDX schema version via the reporter-specific |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Enabling generation of CycloneDX 1.6 SBOMs will be useful for license compliance as 1.6 supports both concluded and declared licenses. We should make a decision on which SBOM spec version we going to support - ideally develop a option for users to able to select a specific spec version such as CycloneDX [1.4, 1.5 or 1.6] or SPDX [2.2, 2.3 or 3.0]
See also
CycloneDX/specification#407
https://github.com/CycloneDX/specification/blob/1.6-dev/schema/bom-1.6.proto
https://github.com/CycloneDX/specification/blob/1.6-dev/schema/bom-1.6.schema.json
https://github.com/CycloneDX/specification/blob/1.6-dev/schema/bom-1.6.xsd
The text was updated successfully, but these errors were encountered: