Generate SBOM in CycloneDX format

Hello Tage,

Let me confirm internally and follow up with you. There is a holiday coming up, so unfortunately it might take a few days. My apology for the inconvenience.

Regards,

Hieu

Hi Tage,

It seems that ncs-sbom can generate the report in SPDX output format. Notice this from running west ncs-sbom -h:

  --output-spdx OUTPUT_SPDX
                        Generate output SPDX report. (default: None)

I cannot find a direct refence from the FDA that says so, but from third party sources, it seems that the FDA accepts SPDX. Could you please check this?

If CycloneDX is needed, it looks like there is a tool on the CycloneDX GitHub to convert SPDS format to CycloneDX. See: https://github.com/CycloneDX/cyclonedx-cli.

Regards,

Hieu

Please be informed that due to a short holiday, there will be some delays in our responses in the coming days. Our apologies for the inconvenience.

Hi Tage,

It seems that ncs-sbom can generate the report in SPDX output format. Notice this from running west ncs-sbom -h:

  --output-spdx OUTPUT_SPDX
                        Generate output SPDX report. (default: None)

I cannot find a direct refence from the FDA that says so, but from third party sources, it seems that the FDA accepts SPDX. Could you please check this?

If CycloneDX is needed, it looks like there is a tool on the CycloneDX GitHub to convert SPDS format to CycloneDX. See: https://github.com/CycloneDX/cyclonedx-cli.

Regards,

Hieu

Please be informed that due to a short holiday, there will be some delays in our responses in the coming days. Our apologies for the inconvenience.

Hi Hieu,

Thanks you for this input - and sorry it didn't occur to me to simply run west ncs-bom -h.

SPDX is also an accepted format fro FDA per my understanding, so I will try this out and review the results with out Security SME.

Thank you.

Regards Tage

Using parameter --output-spdx does not produce a JSON format that cyclonedx-cli expects