SPDX was designed for tools to produce and consume SBOM documents. A decade of experience has shown us that tools may interpret fields differently – a file may be a valid syntactic SPDX SBOM, but different tools may fill in different values.
By coming together as a community to examine the output of multiple tools and to compare/contrast the results, we can refine the guidance to tool vendors and improve the robustness of the ecosystem sharing SPDX documents. Historically, these events were called Bake-offs, but we’ve evolved them into “DocFests.”
After a successful SPDX 2.2 DocFest in September of 2021, the SPDX community has decided to host another DocFest on January 27th from 7-11 AM PST. The purpose of this event is to bring together producers and consumers of SPDX documents and discuss differences between tool output and understanding for the same software artifacts.
Specifically, the goals of this DocFest are to:
- Come to agreement on how the fields should be populated for a given artifact
- Identify instances where different use cases might lead to different choices for fields and structures of documents
- Assess how well the NTIA SBOM minimum elements are covered
- Create a set of reference SPDX SBOMs as part of the corpus for further tooling evaluation.
This event will require “sweat equity” – participants who can produce SPDX documents are expected to have generated at least one SPDX document from the target set (either source, built from source, or an image/container equivalent). Participants who consume SPDX documents are expected to run at least two SPDX documents through their tooling and share any analysis results.
Those who have signed up and have submitted files by January 21, 2022, will receive a meeting invite to the DocFest.
To indicate interest to participate, please fill in the following form no later than January 16, 2022: https://forms.gle/Mq7ReinTY6gDL4cs9