This is a minor release of the Guide.
The following updates of the Guide have been made in version 1.1.
- Both PackageChecksum and PackageVerificationCode are allowed as package hash.
- The package hash is RECOMMENDED instead of MANDATORY.
- ExternalRef is RECOMMENDED instead of MANDATORY.
- FilesAnalyzed is no longer MANDATORY.
- Examples are provided for the CISA SBOM Types.
- A RECOMMENDED syntax is given for CISA SBOM Types.
- sbomasm is a better example of SBOM merge tool.
- Add reference to new CISA document.
An SBOM that conforms to version 1.0 of the Guide will also conform to version 1.1 of the Guide. The reverse is not true.