%% You should probably cite rfc9472 instead of this I-D.
@techreport{ietf-opsawg-sbom-access-03,
    number =    {draft-ietf-opsawg-sbom-access-03},
    type =      {Internet-Draft},
    institution =   {Internet Engineering Task Force},
    publisher = {Internet Engineering Task Force},
    note =      {Work in Progress},
    url =       {https://datatracker.ietf.org/doc/draft-ietf-opsawg-sbom-access/03/},
    author =    {Eliot Lear and Scott Rose},
    title =     {{Discovering and Retrieving Software Transparency and Vulnerability Information}},
    pagetotal = 19,
    year =      2021,
    month =     oct,
    day =       24,
    abstract =  {To improve cybersecurity posture, automation is necessary to locate what software is running on a device, whether that software has known vulnerabilities, and what, if any recommendations suppliers may have. This memo specifies a model to provide access to this information. It may optionally be discovered through manufacturer usage descriptions.},
}