Merge produces non-compliant SBOM

As well as I explained in [this](https://github.com/CycloneDX/cyclonedx-cli/pull/334) merge request, SBOMs have to comply with [NTIA](https://www.ntia.gov/sites/default/files/publications/sbom_minimum_elements_report_0.pdf), [NIST](https://www.nist.gov/itl/executive-order-14028-improving-nations-cybersecurity/software-security-supply-chains-software-1) and CRA (Cyber Resiliant Act) regulations, which require time stamping as a **minimum requirement for SBOMs**.

However, the merge command **currently does not include** timestamp metadata. The previous merge request proposes setting the date at the time of merging. This feature may need to be added to ensure SBOM compliance.

We could then add the merging of each SBOM's metadata.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Merge produces non-compliant SBOM #438

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Uh oh!

Merge produces non-compliant SBOM #438

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions