Steve Springett

There are a lot of "if's" that are required in order to make gitbom semi-useful. * Every artifact tree example detailed at https://gitbom.dev/glossary/artifact_tree/ can easily be represented in CDX, either...

I like the idea of creating a taxonomy of pre-defined property namespaces for consistency reasons. I also like the fact that it will work with existing 1.3 spec without any...

I think you're going to have to be very specific on namespaces. For example, you may consider requiring only ASCII characters.

Distribution is intentionally not specific to binary, source, hybrid, or other. Multiple distributions can be specified for a component. Take Maven for example. A single component may have multiple artifacts...

The proposed namespace (for XML) is: http://cyclonedx.org/schema/ext/audit/1.0

Note to self: This prototype snippet may be useful when defining the spec. ```xml ```

The purpose is both. Audit the metadata that describes the software (everything in the BOM), the methods in which that metadata was obtained, and the BOM as a whole. I'd...

The definition of `container` is: > A packaging and/or runtime format, not specific to any particular technology, which isolates software inside the container from software outside of a container through...

Thanks for the clarification and Checkov example. S3 can easily be defined using services today, however, what may be missing is what the services do with the data. For example,...

CycloneDX supports industry standard enveloped signing formats including XML Signature (xmlsig) and JSON Signature Format (JSF). Any component or nested component assembly can be independently signed and verified. To my...