Add SPDX 3.0 for example7 #85
Conversation
|
My questions:
|
|
This is a draft but reviews are requested? |
| }, | ||
| { | ||
| "spdxId": "https://golang.org/dl/go1.16.4.linux-amd64.tar.gz", | ||
| "type": "Software_Package", |
There was a problem hiding this comment.
| "type": "Software_Package", | |
| "type": "software_Package", |
| }, | ||
| { | ||
| "spdxId": "https://golang.org/dl/go-compiler", | ||
| "type": "Software_File", |
There was a problem hiding this comment.
| "type": "Software_File", | |
| "type": "software_File", |
| "software" | ||
| ], | ||
| "dataLicense": "CC0-1.0", | ||
| "createdUsing": [ |
There was a problem hiding this comment.
createdUsing seems to not be valid here. At least it trips the validator.
There was a problem hiding this comment.
Hmm...this file was created manually, not using any tool. How do we state that here?
There was a problem hiding this comment.
created using is a property of the creationInfo, not any element. It explains how the SPDX file was created.
It's a first pass review to iron out the obvious mistakes. I'll convert it into an actual PR after I get feedback. Thanks a bunch! |
|
#86 Will make it so that automatic validation is done on pull requests |
You can make a URI with a UUID. If you don't own your own domain use: https://spdx.org/spdxdocs/-UUID
Referencing the same object that is referenced somewhere use and externalID. Don't worry about multiple UUIDs referencing the same thing. Resolving the two different objects is fraught. They are in the end two different elements. Content identifiers can help but they are not the same thing. Equivalent but not equal.
Use SimpleLicensing > SimpleLicensingText For Copyright text use Software > copyrightText
dataLicense is optional but CC0 is typically the one we use
You don't need it. The element list covers it. Technically, the SpdxDocument.element should contain all SPDXIDs in the file except itself, but it is accepted that @graph is equivalent. This is not the case for any other container object.
Don't include this. If the document is not created by a tool there will be no Tool element in the CreationInfo.
The file name doesn't matter. Meanwhile, the files can have the |
| "element": [ | ||
| "urn:uuid:cf7dddac-8ce5-4a16-8860-ee255be7b4c8", | ||
| "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b", | ||
| "urn:uuid:d8bfb4bd-f3b9-4d5e-b83d-dd48038ecfde", |
| "comment": "The SBOM communicates that this document is an SBOM. The SBOM only has one element", | ||
| "rootElement": [ | ||
| "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b" | ||
| ] |
| ] | ||
| "element": [ | ||
| "urn:uuid:cf7dddac-8ce5-4a16-8860-ee255be7b4c8", | ||
| "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b", |
There was a problem hiding this comment.
Same as above, you probably meant:
"urn:uuid:e1877974-0aaa-48e6-931f-db4898c543f8"
| "creationInfo": "_:creationInfo", | ||
| "comment": "The SBOM communicates that this document is an SBOM. The SBOM only has one element", | ||
| "rootElement": [ | ||
| "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b" |
There was a problem hiding this comment.
Wrong spdxId. Assuming you intended to set the package spdxId, set:
"urn:uuid:e1877974-0aaa-48e6-931f-db4898c543f8"
nishakm
force-pushed
the
example7-spdx3
branch
2 times, most recently
from
3cc3127
to
dff9a0f
Compare
|
@JPEWdev @maxhbr @goneall @ilans This is ready for review. Questions from me:
|
nishakm
force-pushed
the
example7-spdx3
branch
4 times, most recently
from
67b1c05
to
ff5b79b
Compare
software/example7/spdx-3.0/example7-third-party-modules.spdx.json
Outdated
Show resolved
Hide resolved
nishakm
force-pushed
the
example7-spdx3
branch
3 times, most recently
from
55065d2
to
9ccf7ad
Compare
|
Pending validator fixes, this is expected to pass. Waiting for merge before rechecing. |
|
@nishakm - can you rebase so the checks pass (merged in Josh's fix) |
Signed-off-by: Nisha Kumar <[email protected]>
- Use URN instead of URI for spdxId - Fix capitalization on types - Move `createdUsing` to `CreationInfo` object Signed-off-by: Nisha Kumar <[email protected]>
Signed-off-by: Nisha Kumar <[email protected]>
- Remove "createdUsing" as these files are manually created - "rootElement" is a list - "element" in the SBOM element is a list of all elements in the SBOM Signed-off-by: Nisha Kumar <[email protected]>
Signed-off-by: Nisha Kumar <[email protected]>
- Remove Organization element - Fix root element and element list uuids Signed-off-by: Nisha Kumar <[email protected]>
Signed-off-by: Nisha Kumar <[email protected]>
Signed-off-by: Nisha Kumar <[email protected]>
Signed-off-by: Nisha Kumar <[email protected]>
- Add specVersion to creationInfo object - Only one context allowed - originatedBy is an array - dataLicense is not required - Fix element list in example7-third-party-modules.spdx.json - Remove build conformance (requires more information about the build) Signed-off-by: Nisha Kumar <[email protected]>
- Recalculate hashes for ExternalMap - Remove Build element - Update relationships - Remove Build id from element list - Move all ExternalMap elements to SpdxDocument "imports" Signed-off-by: Nisha Kumar <[email protected]>
nishakm
force-pushed
the
example7-spdx3
branch
from
1ae83ba
to
23abdcc
Compare
Signed-off-by: Nisha Kumar <[email protected]>
|
@kestewart Done! Ready to merge |
|
Thanks @nishakm - I'll go ahead and merge. We may need to do some updates once we get the validation updated to 3.0.1, but we can take care of that after we update the validation. |
No description provided.