You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@Jeeppler Not currently. It wouldn't be too difficult to create the feature, but I probably won't have time to work on it until after the SPDX 2.3 release changes are complete.
If you and Java experience and want to contribute changes to support this functionality, I can give you some pointers to get you started.
I am not sure how it will work. If you have two SBoM from different components , each will have their own headers ( Document Creation section in SPDX specification) , I am not sure if SPDX specification gives options to keep headers for two components ?
@spatil00 I was thinking you could create a new SPDX document with it's own document creation section but include relationships from the new documents to the old documents. You could create External Document References for the 2 original docs. A relationship type DESCENDANT_OF and/or AMENDS could be used to describe the new SPDX document is derived from the 2 original documents. A relationship type of COPY_OF could be used to refer back to the original package/file/snippets from the original package if you want to make the entire operation traceable.
Activity
goneall commentedon Jun 23, 2022
@Jeeppler Not currently. It wouldn't be too difficult to create the feature, but I probably won't have time to work on it until after the SPDX 2.3 release changes are complete.
If you and Java experience and want to contribute changes to support this functionality, I can give you some pointers to get you started.
spatil00 commentedon Aug 9, 2022
I am not sure how it will work. If you have two SBoM from different components , each will have their own headers ( Document Creation section in SPDX specification) , I am not sure if SPDX specification gives options to keep headers for two components ?
goneall commentedon Aug 9, 2022
@spatil00 I was thinking you could create a new SPDX document with it's own document creation section but include relationships from the new documents to the old documents. You could create External Document References for the 2 original docs. A relationship type
DESCENDANT_OF
and/orAMENDS
could be used to describe the new SPDX document is derived from the 2 original documents. A relationship type ofCOPY_OF
could be used to refer back to the original package/file/snippets from the original package if you want to make the entire operation traceable.rnjudge commentedon Mar 20, 2023
@Jeeppler check out https://github.com/vmware-samples/sbom-composer for combining SPDX docs. This is in the process of being moved under the OpenSSF.