Explain how inter SBOM linking works

Reading about [Packages and relationships](https://redhatproductsecurity.github.io/security-data-guidelines/sbom/#packages-and-relationships), I understand how those are connected.

However, I don't really get the idea on how those would be connected when present in different SBOMs. Which would be case with [Shallow SBOMs](https://redhatproductsecurity.github.io/security-data-guidelines/sbom/#shallow-vs-complete).

There's a note about this in [Component-Level vs Product-Level](https://redhatproductsecurity.github.io/security-data-guidelines/sbom/#component-level-vs-product-level):

> Note that the root package described by the component-level SBOM, the OpenSSL Source RPM (SRPM), is the only reference present in the product-level SBOM to not duplicate information between the two SBOMs. The purl reference from the SRPM package can be used to discover the component-level SBOM from the product-level SBOM.

I'd expect some more detail in the later sections and also some examples.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Explain how inter SBOM linking works #74

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Explain how inter SBOM linking works #74

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions