diff --git a/lite/example1-with-VEX/Lite-example-1-1-with-VEX.json b/lite/example1-with-VEX/Lite-example-1-1-with-VEX.json new file mode 100644 index 0000000..ee7c868 --- /dev/null +++ b/lite/example1-with-VEX/Lite-example-1-1-with-VEX.json @@ -0,0 +1,189 @@ +{ + "@context": "https://spdx.github.io/spdx-spec/v3.0/model/spdx-context.jsonld", + "@graph": [ + { + "type": "SpdxDocument", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Document/1", + "name": "Lite-SpdxDocument", + "comment": "if any", + "creationInfo": "_:creationinfo", + "verifiedUsing": [{ + "type": "Hash", + "algorithm": "sha3_512", + "hashValue": "hash value of Sbom object" + }], + "rootElement": [ "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Sbom/1" ], + "element": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Sbom/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Bom/1" + ], + "namespaceMap": [{ + "type": "NamespaceMap", + "prefix": "lite-example", + "namespace": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Lite/1" + }], + "dataLicense": "CC0-1.0" + }, + { + "type": "software_Sbom", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Sbom/1", + "creationInfo": "_:creationinfo", + "rootElement": [ "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1" ], + "element": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/2", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/3" + ], + "software_sbomType": [ "build" ] + }, + { + "type": "CreationInfo", + "@id": "_:creationinfo", + "specVersion": "3.0.0", + "comment": "if any", + "created": "2024-05-06T00:00:00Z", + "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + }, + { + "type": "Person", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota", + "name": "Norio Kobota", + "creationInfo": "_:creationinfo", + "externalIdentifier": { + "type": "ExternalIdentifier", + "externalIdentifierType": "email", + "identifier": "norio.kobota@sony.com" + } + }, + { + "type": "software_Package", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1", + "name": "my-package", + "comment": "if any", + "creationInfo": "_:creationinfo", + "verifiedUsing": [{ + "type": "Hash", + "algorithm": "sha3_512", + "hashValue": "hash value of the package file" + }], + "originatedBy": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + ], + "suppliedBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota", + "builtTime": "2024-05-06T00:00:00Z", + "releaseTime": "2024-05-06T00:00:00Z", + "validUntilTime": "2034-05-06T00:00:00Z", + "supportLevel": "limitedSupport", + "software_copyrightText": "copyright text", + "software_attributionText": "other attribution text", + "software_packageVersion": "v1.0", + "software_downloadLocation": "http://dl.example.com/my-package_v1.0.tar", + "software_packageUrl": "pkg:github/example/my-package/releases/tag/v1.0", + "software_homepage": "website for the Package/1" + }, + { + "type": "simpleLicensing_LicenseExpression", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1", + "creationInfo": "_:creationinfo", + "simpleLicensing_licenseExpression": "MIT", + "simpleLicensing_licenseListVersion": "3.23.0" + }, + { + "type": "Relationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/1", + "creationInfo": "_:creationinfo", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Sbom/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1" + ], + "relationshipType": "contains" + }, + { + "type": "Relationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/2", + "creationInfo": "_:creationinfo", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1" + ], + "relationshipType": "hasDeclaredLicense" + }, + { + "type": "Relationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/3", + "creationInfo": "_:creationinfo", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1" + ], + "relationshipType": "hasConcludedLicense" + }, + { + "type": "Bom", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Bom/1", + "creationInfo": "_:creationinfo_vex1", + "extension": [{ + "cdxPropName": "VexDocumentVersion", + "cdxPropValue": "0" + }], + "rootElement": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Vulnerability/1" + ], + "element": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Vunlnerability/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/vul1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VexUnderInvestigationVulnAssessmentRelationship/1" + ] + }, + { + "type": "CreationInfo", + "@id": "_:creationinfo_vex1", + "specVersion": "3.0.0", + "comment": "if any", + "created": "2024-05-06T00:00:00Z", + "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + }, + { + "type": "Vulnerability", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Vulnerability/1", + "name": "CVE-1234-1234", + "comment": "if any", + "creationInfo": "_:creationinfo_vex1", + "externalIdetifier": { + "identifier": "CVE-1234-1234", + "comment": "must" + }, + "security_publishedTime": "2024-05-06T00:00:00Z", + "security_modifiedTime": "2024-05-06T00:00:00Z" + }, + { + "type": "Relationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/vul1", + "creationInfo": "_:creationinfo_vex1", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Vulnerability/1" + ], + "relationshipType": "hasAssociatedVulnerability" + }, + { + "type": "VexUnderInvestigationVulnAssessmentRelationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VexUnderInvestigationVulnAssessmentRelationship/1", + "name": "if any", + "comment": "if any", + "creationInfo": "_:creationinfo_vex1", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Vulnerability/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1" + ], + "relationshipType": "underInvestigationFor", + "suppliedBy": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + ], + "security_vexVersion": "0", + "security_statusNotes": "if any" + } + ] +} diff --git a/lite/example1-with-VEX/Lite-example-1-2-with-VEX.json b/lite/example1-with-VEX/Lite-example-1-2-with-VEX.json new file mode 100644 index 0000000..1d69b8f --- /dev/null +++ b/lite/example1-with-VEX/Lite-example-1-2-with-VEX.json @@ -0,0 +1,236 @@ +{ + "@context": "https://spdx.github.io/spdx-spec/v3.0/model/spdx-context.jsonld", + "@graph": [ + { + "type": "SpdxDocument", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Document/2", + "name": "Lite-SpdxDocument", + "comment": "if any", + "creationInfo": "_:creationinfo_spdx", + "verifiedUsing": [{ + "type": "Hash", + "algorithm": "sha3_512", + "hashValue": "hash value of Sbom object" + }], + "rootElement": [ "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Sbom/1" ], + "element": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Sbom/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Bom/1" + ], + "namespaceMap": [{ + "type": "NamespaceMap", + "prefix": "lite-example", + "namespace": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Lite/1" + }], + "dataLicense": "CC0-1.0" + }, + { + "type": "software_Sbom", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Sbom/1", + "creationInfo": "_:creationinfo", + "rootElement": [ "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1" ], + "element": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/2", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/3" + ], + "software_sbomType": "build" + }, + { + "type": "CreationInfo", + "@id": "_:creationinfo", + "specVersion": "3.0.0", + "comment": "if any", + "created": "2024-05-06T00:00:00Z", + "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + }, + { + "type": "CreationInfo", + "@id": "_:creationinfo_spdx", + "specVersion": "3.0.0", + "comment": "if any", + "created": "2024-05-07T00:00:00Z", + "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + }, + { + "type": "Person", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota", + "name": "Norio Kobota", + "creationInfo": "_:creationinfo", + "externalIdentifier": { + "type": "ExternalIdentifier", + "externalIdentifierType": "email", + "identifier": "norio.kobota@sony.com" + } + }, + { + "type": "software_Package", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1", + "name": "my-package", + "comment": "if any", + "creationInfo": "_:creationinfo", + "verifiedUsing": [{ + "type": "Hash", + "algorithm": "sha3_512", + "hashValue": "hash value of the package file" + }], + "originatedBy": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + ], + "suppliedBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota", + "builtTime": "2024-05-06T00:00:00Z", + "releaseTime": "2024-05-06T00:00:00Z", + "validUntilTime": "2034-05-06T00:00:00Z", + "supportLevel": "limitedSupport", + "software_copyrightText": "copyright text", + "software_attributionText": "other attribution text", + "software_packageVersion": "v1.0", + "software_downloadLocation": "http://dl.example.com/my-package_v1.0.tar", + "software_packageUrl": "pkg:github/example/my-package/releases/tag/v1.0", + "software_homepage": "website for the Package/1" + }, + { + "type": "simpleLicensing_LicenseExpression", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1", + "creationInfo": "_:creationinfo", + "simpleLicensing_licenseExpression": "MIT", + "simpleLicensing_licenseListVersion": "3.23.0" + }, + { + "type": "Relationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/1", + "creationInfo": "_:creationinfo", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Sbom/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1" + ], + "relationshipType": "contains" + }, + { + "type": "Relationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/2", + "creationInfo": "_:creationinfo", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1" + ], + "relationshipType": "hasDeclaredLicense" + }, + { + "type": "Relationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/3", + "creationInfo": "_:creationinfo", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1" + ], + "relationshipType": "hasConcludedLicense" + }, + { + "type": "Bom", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Bom/1", + "creationInfo": "_:creationinfo_vex2", + "extension": [{ + "cdxPropName": "VexDocumentVersion", + "cdxPropValue": "1" + }], + "rootElement": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Vulnerability/1" + ], + "element": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Vunlnerability/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/vul1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VexUnderInvestigationVulnAssessmentRelationship/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VexAffectedVulnAssessmentRelationship/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VulnAssessmentRelationship/1" + ] + }, + { + "type": "CreationInfo", + "@id": "_:creationinfo_vex1", + "specVersion": "3.0.0", + "comment": "if any", + "created": "2024-05-06T00:00:00Z", + "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + }, + { + "type": "CreationInfo", + "@id": "_:creationinfo_vex2", + "specVersion": "3.0.0", + "comment": "if any", + "created": "2024-05-07T00:00:00Z", + "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + }, + { + "type": "Vulnerability", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Vulnerability/1", + "name": "CVE-1234-1234", + "comment": "if any", + "creationInfo": "_:creationinfo_vex2", + "externalIdetifier": { + "identifier": "CVE-1234-1234", + "comment": "must" + }, + "security_publishedTime": "2024-05-06T00:00:00Z", + "security_modifiedTime": "2024-05-07T00:00:00Z" + }, + { + "type": "Relationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/vul1", + "creationInfo": "_:creationinfo_vex1", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Vulnerability/1" + ], + "relationshipType": "hasAssociatedVulnerability" + }, + { + "type": "VexUnderInvestigationVulnAssessmentRelationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VexUnderInvestigationVulnAssessmentRelationship/1", + "name": "if any", + "comment": "if any", + "creationInfo": "_:creationinfo_vex1", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Vulnerability/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1" + ], + "relationshipType": "underInvestigationFor", + "suppliedBy": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + ], + "security_vexVersion": "0", + "security_statusNotes": "if any" + }, + { + "type": "VexAffectedVulnAssessmentRelationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VexAffectedVulnAssessmentRelationship/1", + "name": "if any", + "comment": "if any", + "creationInfo": "_:creationinfo_vex2", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Vulnerability/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1" + ], + "relationshipType": "affects", + "suppliedBy": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + ], + "security_vexVersion": "1", + "security_statusNotes": "if any", + "security_actionStatetment": "something", + "security_actionStatementTime": "2024-05-07T00:00:00Z" + }, + { + "type": "VulnAssessmentRelationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VulnAssessmentRelationship/1", + "creationInfo": "_:creationinfo_vex2", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VexUnderInvestigationVulnAssessmentRelationship/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VexAffectedVulnAssessmentRelationship/1" + ], + "relationshipType": "amends" + } + ] +} diff --git a/lite/example1-with-VEX/Lite-example-1-3-with-VEX.json b/lite/example1-with-VEX/Lite-example-1-3-with-VEX.json new file mode 100644 index 0000000..e997277 --- /dev/null +++ b/lite/example1-with-VEX/Lite-example-1-3-with-VEX.json @@ -0,0 +1,273 @@ +{ + "@context": "https://spdx.github.io/spdx-spec/v3.0/model/spdx-context.jsonld", + "@graph": [ + { + "type": "SpdxDocument", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Document/3", + "name": "Lite-SpdxDocument", + "comment": "if any", + "creationInfo": "_:creationinfo_spdx", + "verifiedUsing": [{ + "type": "Hash", + "algorithm": "sha3_512", + "hashValue": "hash value of Sbom object" + }], + "rootElement": [ "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Sbom/1" ], + "element": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Sbom/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Bom/1" + ], + "namespaceMap": [{ + "type": "NamespaceMap", + "prefix": "lite-example", + "namespace": "http://spdx.example.com/Lite/1" + }], + "dataLicense": "CC0-1.0" + }, + { + "type": "software_Sbom", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Sbom/2", + "creationInfo": "_:creationinfo", + "rootElement": [ "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1" ], + "element": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/2", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/3" + ], + "software_sbomType": "build" + }, + { + "type": "CreationInfo", + "@id": "_:creationinfo", + "specVersion": "3.0.0", + "comment": "if any", + "created": "2024-05-08T00:00:00Z", + "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + }, + { + "type": "CreationInfo", + "@id": "_:creationinfo_spdx", + "specVersion": "3.0.0", + "comment": "if any", + "created": "2024-05-08T00:00:00Z", + "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + }, + { + "type": "Person", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota", + "name": "Norio Kobota", + "creationInfo": "_:creationinfo", + "externalIdentifier": { + "type": "ExternalIdentifier", + "externalIdentifierType": "email", + "identifier": "norio.kobota@sony.com" + } + }, + { + "type": "software_Package", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1", + "name": "my-package", + "comment": "if any", + "creationInfo": "_:creationinfo", + "verifiedUsing": [{ + "type": "Hash", + "algorithm": "sha3_512", + "hashValue": "hash value of the package file" + }], + "originatedBy": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + ], + "suppliedBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota", + "builtTime": "2024-05-08T00:00:00Z", + "releaseTime": "2024-05-08T00:00:00Z", + "validUntilTime": "2034-05-08T00:00:00Z", + "supportLevel": "limitedSupport", + "software_copyrightText": "copyright text", + "software_attributionText": "other attribution text", + "software_packageVersion": "v1.1", + "software_downloadLocation": "http://dl.example.com/my-package_v1.0.tar", + "software_packageUrl": "pkg:github/example/my-package/releases/tag/v1.0", + "software_homepage": "website for the Package/1" + }, + { + "type": "simpleLicensing_LicenseExpression", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1", + "creationInfo": "_:creationinfo", + "simpleLicensing_licenseExpression": "MIT", + "simpleLicensing_licenseListVersion": "3.23.0" + }, + { + "type": "Relationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/1", + "creationInfo": "_:creationinfo", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Sbom/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1" + ], + "relationshipType": "contains" + }, + { + "type": "Relationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/2", + "creationInfo": "_:creationinfo", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1" + ], + "relationshipType": "hasDeclaredLicense" + }, + { + "type": "Relationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/3", + "creationInfo": "_:creationinfo", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1" + ], + "relationshipType": "hasConcludedLicense" + }, + { + "type": "Bom", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Bom/1", + "creationInfo": "_:creationinfo_vex3", + "extension": [{ + "cdxPropName": "VexDocumentVersion", + "cdxPropValue": "2" + }], + "rootElement": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Vulnerability/1" + ], + "element": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Vunlnerability/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/vul1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VexUnderInvestigationVulnAssessmentRelationship/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VexAffectedVulnAssessmentRelationship/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VexFixedVulnAssessmentRelationship/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VulnAssessmentRelationship/1", + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VulnAssessmentRelationship/2" + ] + }, + { + "type": "CreationInfo", + "@id": "_:creationinfo_vex1", + "specVersion": "3.0.0", + "comment": "if any", + "created": "2024-05-06T00:00:00Z", + "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + }, + { + "type": "CreationInfo", + "@id": "_:creationinfo_vex2", + "specVersion": "3.0.0", + "comment": "if any", + "created": "2024-05-07T00:00:00Z", + "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + }, + { + "type": "CreationInfo", + "@id": "_:creationinfo_vex3", + "specVersion": "3.0.0", + "comment": "if any", + "created": "2024-05-08T00:00:00Z", + "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + }, + { + "type": "Vulnerability", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Vulnerability/1", + "name": "CVE-1234-1234", + "comment": "if any", + "creationInfo": "_:creationinfo_vex4", + "externalIdetifier": { + "identifier": "CVE-1234-1234", + "comment": "must" + }, + "security_publishedTime": "2024-05-06T00:00:00Z", + "security_modifiedTime": "2024-05-08T00:00:00Z" + }, + { + "type": "Relationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Relationship/vul1", + "creationInfo": "_:creationinfo_vex1", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Vulnerability/1" + ], + "relationshipType": "hasAssociatedVulnerability" + }, + { + "type": "VexUnderInvestigationVulnAssessmentRelationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VexUnderInvestigationVulnAssessmentRelationship/1", + "name": "if any", + "comment": "if any", + "creationInfo": "_:creationinfo_vex1", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Vulnerability/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1" + ], + "relationshipType": "underInvestigationFor", + "suppliedBy": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + ], + "security_vexVersion": "0", + "security_statusNotes": "if any" + }, + { + "type": "VexAffectedVulnAssessmentRelationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VexAffectedVulnAssessmentRelationship/1", + "name": "if any", + "comment": "if any", + "creationInfo": "_:creationinfo_vex2", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Vulnerability/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1" + ], + "relationshipType": "affects", + "suppliedBy": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + ], + "security_vexVersion": "1", + "security_statusNotes": "if any", + "security_actionStatetment": "something", + "security_actionStatementTime": "2024-05-07T00:00:00Z" + }, + { + "type": "VexFixedVulnAssessmentRelationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VexFixedVulnAssessmentRelationship/1", + "name": "if any", + "comment": "if any", + "creationInfo": "_:creationinfo_vex3", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Vulnerability/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Package/1" + ], + "relationshipType": "fixedIn", + "suppliedBy": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" + ], + "security_vexVersion": "2", + "security_statusNotes": "if any" + }, + { + "type": "VulnAssessmentRelationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VulnAssessmentRelationship/1", + "creationInfo": "_:creationinfo_vex2", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VexUnderInvestigationVulnAssessmentRelationship/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VexAffectedVulnAssessmentRelationship/1" + ], + "relationshipType": "amends" + }, + { + "type": "VulnAssessmentRelationship", + "spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VulnAssessmentRelationship/2", + "creationInfo": "_:creationinfo_vex4", + "from": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VexAffectedVulnAssessmentRelationship/1", + "to": [ + "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/VexFixedVulnAssessmentRelationship/1" + ], + "relationshipType": "amends" + } + ] +} diff --git a/lite/example1-with-VEX/README.md b/lite/example1-with-VEX/README.md new file mode 100644 index 0000000..f80d90a --- /dev/null +++ b/lite/example1-with-VEX/README.md @@ -0,0 +1,25 @@ +# Lite/Example 1 with Security Profile(VEX) + +## Description + +This is a JSON-LD file provided using Lite profile when providing Package1, a software package provided under the MIT license. +And Security Profile(Minimum Requirement VEX) information is added. +Package1 has one vulnerability, CVE-1234-1234. +This sample contains 3 files to show the VEX status transition. +The trasition is as follows: +1. UnderInvestigation: Lite-example-1-1-with-VEX.json + ![Fig1](img/Lite-example-1-1-with-VEX.png) +2. Affected: Lite-example-1-2-with-VEX.json + ![Fig2](img/Lite-example-1-2-with-VEX.png) +3. Fixed: Lite-example-1-3-with-VEX.json + ![Fig3](img/Lite-example-1-3-with-VEX.png) + +``` +Supplier ---> Receiver + | + +- Package1 (MIT license) +``` + +## Comments +There is no property to describe "2.2.1 Document ID" in [Minimum Requirements for Vulnerability Exploitability eXchange (VEX)](https://www.cisa.gov/resources-tools/resources/minimum-requirements-vulnerability-exploitability-exchange-vex) in the current SPDX3.0 specification. +Therefore, in this sample, "2.2.1 Document ID" is described in property "extesion" in Element class. diff --git a/lite/example1-with-VEX/img/Lite-example-1-1-with-VEX.png b/lite/example1-with-VEX/img/Lite-example-1-1-with-VEX.png new file mode 100644 index 0000000..a0af3bd Binary files /dev/null and b/lite/example1-with-VEX/img/Lite-example-1-1-with-VEX.png differ diff --git a/lite/example1-with-VEX/img/Lite-example-1-2-with-VEX.png b/lite/example1-with-VEX/img/Lite-example-1-2-with-VEX.png new file mode 100644 index 0000000..a9a6429 Binary files /dev/null and b/lite/example1-with-VEX/img/Lite-example-1-2-with-VEX.png differ diff --git a/lite/example1-with-VEX/img/Lite-example-1-3-with-VEX.png b/lite/example1-with-VEX/img/Lite-example-1-3-with-VEX.png new file mode 100644 index 0000000..c6a6a41 Binary files /dev/null and b/lite/example1-with-VEX/img/Lite-example-1-3-with-VEX.png differ