Procedure

Generating an SBOM requires defaults and templates to ensure it meets the required format and contains the correct content. The subsequent chapters provide examples of various metadata files and descriptions of the tags used within them. Some values are fixed, while others depend on you as the software supplier and the specific product version(s) for which you must create an SBOM.

You must define a list of product versions for which SBOMs must be generated. For each product version in this list, you must specify metadata that describes the product version. A product version can be considered as a PMC Base VRC.

The raw data originates from the system where the product is developed or where the PMC solutions for the product are created. If the product version is still under development or maintenance, data gathering must be performed regularly, depending on the activity level for that product version. The raw data consists of a list of PMC solutions released for the product version.

The Generate SBOM (ttpmc1260m000) session is used to create SBOMs. This session can be scheduled as a job and includes a net change mode, ensuring that SBOMs are generated only if there were changes to the raw data, such as the delivery of a new PMC solution for the product version, or if metadata files were modified.