alt Hacker NewsOr tag-value, which is actually preferred by many practitioners. Nesting is implicit in that format, but SBOMs should be mostly flat, anyway.
Unfortunately, T-V hs been dropped in SPDX 3.0.
Or tag-value, which is actually preferred by many practitioners. Nesting is implicit in that format, but SBOMs should be mostly flat, anyway.
Unfortunately, T-V hs been dropped in SPDX 3.0.
It was dropped exactly because it was flat and it was becoming completely unmanageable.
SPDX v3 is based on a graph model that can represent hierarchies natively. It can then be serialized in a file, for example, in JSON format.