Commit 52ff1ea8 authored by Santeri Toikka's avatar Santeri Toikka
Browse files

Added more notes from closed merge requests

parent 89b1bb30
Loading
Loading
Loading
Loading
+10 −0
Original line number Diff line number Diff line
@@ -2625,6 +2625,9 @@ References:
Early versions of this document had a section about SBOM requirements.

### The requirements

Removed requirements:

These requirements are generally binding, and there is no low-medium-high tiering available.

- **[REQ-SBOM-0]:** Operating system dependencies and application dependencies shall be clearly separated in the provided SBOM.
@@ -2632,6 +2635,13 @@ These requirements are generally binding, and there is no low-medium-high tierin
- **[REQ-SBOM-1b]:** The SBOM identifier format shall be consistent with common vulnerability handling standards.
- **[REQ-SBOM-2]:** The SBOM shall be consistent with [5.3.4 Secure updates] practices.

It has been also suggested, that:

The Software Bill of Material delivered with each software update in one of two
standard formats:
  * [SPDX](https://spdx.dev/use/spdx-tools/)
  * [Cyclone DX](https://cyclonedx.org/)

### Removal reason

There are no clear instructions or interfaces available.