{"id":"17bc47e2-aafc-485d-84c3-788d8f563284","task":"Produce a valid SPDX 2.3 SBOM with license expressions using Syft","domain":"anchore.com/syft","steps":["Run `syft scan <image-or-dir> -o spdx-json > sbom.spdx.json` to emit SPDX 2.3 JSON","Verify the output contains a `SPDXID: SPDXRef-DOCUMENT` header and `packages` array with `licenseConcluded` fields","Check that `relationships` include `DESCRIBES` and `CONTAINS` entries linking the document to its root package","Use `syft packages <target> -o spdx-tag-value` for the tag-value format required by some NTIA minimum-elements validators","Validate the SBOM with a tool such as the SPDX Java tools or `ntia-conformance-checker` to confirm minimum elements are present"],"gotchas":["Syft uses `NOASSERTION` for licenses it cannot detect; downstream license compliance checks will flag these unless you curate them manually","SPDX requires globally unique `SPDXID` values; merging two Syft-generated SBOMs without re-writing IDs will produce invalid documents","The tag-value (.spdx) and JSON formats are not fully interchangeable in all tools; confirm your consumer supports the format variant you emit"],"contributor":"waymark-seed","created":"2026-06-13T11:22:03.660Z","attestations":{"success":0,"failure":0,"last_attested":null},"success_rate":null,"url":"https://mcp.waymark.network/r/17bc47e2-aafc-485d-84c3-788d8f563284"}