add Lite profile examples #91
Conversation
Signed-off-by: notanaka <[email protected]>
Signed-off-by: Nobuyuki Tanaka <[email protected]>
…examples into merge-lite-example-1
There was a problem hiding this comment.
The CI with likely find many more problems once it runs. I'll admit that the output of the checks, while very through, can be difficult to interpret. If you run into trouble getting these to pass CI, let me know and I can help interpret the errors.
Overall, the structure of these documents seems fine, they just need to conform to the JSON schema and SHACL model (which is done by CI) and they should be OK
| @@ -0,0 +1,189 @@ | |||
| { | |||
| "@context": "https://raw.githubusercontent.com/spdx/spdx-3-serialization-prototype-playground/main/jsonld/spdx-3.0-context.json-ld", | |||
There was a problem hiding this comment.
This is the example context URL, the actual URL needs to be used now, which is:
"@context": "https://spdx.github.io/spdx-spec/v3.0/model/spdx-context.jsonld"| "@graph": [ | ||
| { | ||
| "type": "SpdxDocument", | ||
| "spdxId": "http://spdx.example.com/Document/1", |
There was a problem hiding this comment.
http://spdx.example.com/Document/1 is not a good example spdxId. An SPDX ID needs some universally unique identifier, and SPDX has a defined URL prefix of https://spdx.org/spdxdocs/ for the case where the producer doesn't have their own domain. Thus, your spdx ID should probably look something like:
"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Document/1"The https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/ prefix can be reused for all the other objects in this document keeping the existing scheme of appending the type and an index if you desire.
| "algorithm": "sha3_512", | ||
| "hashValue": "hash value of Sbom object" | ||
| }], | ||
| "rootElement": "http://spdx.example.com/Sbom/1", |
There was a problem hiding this comment.
I believe this has to be an array to validate:
"rootElement": [ "http://spdx.example.com/Sbom/1" ],| "type": "NamespaceMap", | ||
| "prefix": "lite-example", | ||
| "namespace": "http://spdx.example.com/Lite/1" | ||
| }], |
There was a problem hiding this comment.
This namespace map is not used in the document, so please remove it for clarity
| "dataLicense": "CC0-1.0" | ||
| }, | ||
| { | ||
| "type": "Sbom", |
There was a problem hiding this comment.
Object types are always prefixed by their namespace (e.g. profile) unless they are from core, so this needs to be:
"type": "software_Sbom",There was a problem hiding this comment.
Thanks! I will fix them.
Just curious, why prefix these with profile names?
In particular, JSON is structured, and I personally think that it is possible to understand the context depending on which closure contains the same key value.
If there are discussions in the past, I would appreciate it if you could give me pointers.
| "http://spdx.example.com/Relationship/2", | ||
| "http://spdx.example.com/Relationship/3" | ||
| ], | ||
| "sbomType": "build" |
There was a problem hiding this comment.
Property names are always prefix by their namespace (e.g. profile) unless they are from core, so this needs to be:
"software_sbomType": [ "build" ],Also be aware that SPDX 3.0 JSON doesn't allow array eliding, so if a property has any max ordinality other than 1, it must be an array in JSON, even if it only contains one item.
| "http://spdx.example.com/Package/1" | ||
| ], | ||
| "relationshipType": "underInvestigationFor", | ||
| "/Core/suppliedBy": [ |
There was a problem hiding this comment.
Just suppliedBy for the property name. Namespacing of properties and types is handled as described above
There was a problem hiding this comment.
"/Core/suppliedBy" is the description in the SPDX specification as follows.
How can I modify this, is it acceptable to remove "/Core/"?
/Core/suppliedBy
type: /Core/Agent
minCount: 0
maxCount: 1
There was a problem hiding this comment.
Yes, in this case it's just Agent, it's important to remember that the names of objects and properties in the "model" described in the SPDX 3 spec are not the same as the types and property names used in any given serialization format. The serialization formats have different rules for how to translate the model names to types and properties. The JSON rules are described in my other comments, but to be explicit, it is:
Object types and properties from the Core namespace have no prefix (e.g. /Core/Agent is Agent). Object types and properties from other namespaces are prefixed by a lower case version of the namespace + "_" (e.g. /Software/Sbom is software_Sbom, /Software/sbomType is software_sbomType).
There was a problem hiding this comment.
And to be clear, the namespace of the object type is irrelevent to the naming of properties. For example, even though this software_Sbom object is in the Software namespace, the exact same rules described above apply to all its properties, so it's just suppliedBy not core_suppliedBy, and software_sbomType not sbomType.
The reason for this is that the mapping of type names and properties is context-free (e.g. global), so it doesn't depend on which specific object the property is found in.
There was a problem hiding this comment.
Thank you for your clarification.
I can understand how to describe json format from the specification.
There was a problem hiding this comment.
The reason for this is that the mapping of type names and properties is context-free (e.g. global), so it doesn't depend on which specific object the property is found in.
I don’t fully understand it yet, but I understand this is the answer for this comment. #91 (comment)
Thanks.
| @@ -0,0 +1,189 @@ | |||
| { | |||
There was a problem hiding this comment.
This document needs two things to be checked by CI:
- It needs to have a ".json" extension instead of ".jsonld"
- It needs to existing in a "spdx-3.0" directory
As such, I would recommend naming this file: lite/example1-with-VEX/spdx-3.0/Lite-example-1-1-with-VEX.spdx.json and naming the other examples in this PR similarly
Signed-off-by: Nobuyuki Tanaka <[email protected]>
…examples into merge-lite-example-1
Signed-off-by: Nobuyuki Tanaka <[email protected]>
…examples into merge-lite-example-1
Signed-off-by: Nobuyuki Tanaka <[email protected]>
…examples into merge-lite-example-1
Signed-off-by: Nobuyuki Tanaka <[email protected]>
…examples into merge-lite-example-1
Signed-off-by: Nobuyuki Tanaka <[email protected]>
…examples into merge-lite-example-1
Signed-off-by: Nobuyuki Tanaka <[email protected]>
…examples into merge-lite-example-1
Signed-off-by: Nobuyuki Tanaka <[email protected]>
…examples into merge-lite-example-1
Signed-off-by: Nobuyuki Tanaka <[email protected]>
…examples into merge-lite-example-1
Signed-off-by: Norio Kobota <[email protected]>
NorioKobota
force-pushed
the
lite-profile
branch
from
3b13c8f
to
552d82e
Compare
Signed-off-by: Norio Kobota <[email protected]>
Signed-off-by: Norio Kobota <[email protected]>
Signed-off-by: Norio Kobota <[email protected]>
Merge lite example 1
Signed-off-by: Norio Kobota <[email protected]>
Signed-off-by: Nobuyuki Tanaka <[email protected]>
…examples into merge-lite-example-1
Signed-off-by: Nobuyuki Tanaka <[email protected]>
…examples into merge-lite-example-1
Signed-off-by: Nobuyuki Tanaka <[email protected]>
Signed-off-by: Nobuyuki Tanaka <[email protected]>
Signed-off-by: Nobuyuki Tanaka <[email protected]>
…examples into merge-lite-example-1
Merge example1-with-VEX under spdx-3.0 directory
|
@JPEWdev Sorry to be late, but we have corrected the points you pointed out, so could you please take a look again? |
Signed-off-by: Nobuyuki Tanaka <[email protected]>
…examples into merge-lite-example-1
Signed-off-by: Nobuyuki Tanaka <[email protected]>
…examples into merge-lite-example-1
…lass. Signed-off-by: Nobuyuki Tanaka <[email protected]>
…examples into merge-lite-example-1
Merge changes to add security_ prefix to type in Security profile
There was a problem hiding this comment.
Example 2 has few issues. Please see suggestions. @NorioKobota @no-ta
| "externalIdentifier": { | ||
| "type": "ExternalIdentifier", | ||
| "externalIdentifierType": "email", | ||
| "identifier": "[email protected]" | ||
| } |
There was a problem hiding this comment.
| "externalIdentifier": { | |
| "type": "ExternalIdentifier", | |
| "externalIdentifierType": "email", | |
| "identifier": "[email protected]" | |
| } | |
| "externalIdentifier": [ | |
| { | |
| "type": "ExternalIdentifier", | |
| "externalIdentifierType": "email", | |
| "identifier": "[email protected]" | |
| } | |
| ] |
externalIdentifier requires array, as its maxCount is *.
| "software_packageVersion": "v1.0", | ||
| "software_downloadLocation": "http://dl.example.com/my-package_v1.0.tar", | ||
| "software_packageUrl": "pkg:github/example/my-package/releases/tag/v1.0", | ||
| "software_homepage": "website for the Package/1" |
There was a problem hiding this comment.
| "software_homepage": "website for the Package/1" | |
| "software_homePage": "website for the Package/1" |
| "simpleLicensing_licenseExpression": "GPL-2.0-only", | ||
| "simpleLicensing_licenseListVersion": "3.23.0" |
There was a problem hiding this comment.
| "simpleLicensing_licenseExpression": "GPL-2.0-only", | |
| "simpleLicensing_licenseListVersion": "3.23.0" | |
| "simplelicensing_licenseExpression": "GPL-2.0-only", | |
| "simplelicensing_licenseListVersion": "3.23.0" |
lowercase L for licensing
| "specVersion": "3.0.0", | ||
| "comment": "if any", | ||
| "created": "2024-05-06T00:00:00Z", | ||
| "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" |
There was a problem hiding this comment.
| "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" | |
| "createdBy": [ | |
| "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" | |
| ] |
| "software_copyrightText": "copyright text", | ||
| "software_attributionText": "other attribution text", |
There was a problem hiding this comment.
| "software_copyrightText": "copyright text", | |
| "software_attributionText": "other attribution text", | |
| "software_copyrightText": "copyright text", | |
| "software_attributionText": [ | |
| "other attribution text" | |
| ], |
| "prefix": "lite-example", | ||
| "namespace": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Lite/1" | ||
| }], | ||
| "dataLicense": "CC0-1.0" |
There was a problem hiding this comment.
The value of dataLicense needs to be a License object of /SimpleLicensing/AnyLicenseInfo class, not string.
See https://spdx.github.io/spdx-spec/v3.0/model/Core/Properties/dataLicense/
| "externalIdentifier": { | ||
| "type": "ExternalIdentifier", | ||
| "externalIdentifierType": "email", | ||
| "identifier": "[email protected]" | ||
| } |
There was a problem hiding this comment.
| "externalIdentifier": { | |
| "type": "ExternalIdentifier", | |
| "externalIdentifierType": "email", | |
| "identifier": "[email protected]" | |
| } | |
| "externalIdentifier": [ | |
| { | |
| "type": "ExternalIdentifier", | |
| "externalIdentifierType": "email", | |
| "identifier": "[email protected]" | |
| } | |
| ] |
Entries must be inside an array.
| "specVersion": "3.0.0", | ||
| "comment": "if any", | ||
| "created": "2024-05-06T00:00:00Z", | ||
| "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" |
There was a problem hiding this comment.
| "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" | |
| "createdBy": [ | |
| "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" | |
| ] |
| "software_packageVersion": "v1.0", | ||
| "software_downloadLocation": "http://dl.example.com/my-package_v1.0.tar", | ||
| "software_packageUrl": "pkg:github/example/my-package/releases/tag/v1.0", | ||
| "software_homepage": "website for the Package/1" |
There was a problem hiding this comment.
| "software_homepage": "website for the Package/1" | |
| "software_homePage": "website for the Package/1" |
| "simpleLicensing_licenseExpression": "MIT", | ||
| "simpleLicensing_licenseListVersion": "3.23.0" |
There was a problem hiding this comment.
| "simpleLicensing_licenseExpression": "MIT", | |
| "simpleLicensing_licenseListVersion": "3.23.0" | |
| "simplelicensing_licenseExpression": "MIT", | |
| "simplelicensing_licenseListVersion": "3.23.0" |
| "supportLevel": "limitedSupport", | ||
| "software_copyrightText": "copyright text", | ||
| "software_attributionText": "other attribution text", |
There was a problem hiding this comment.
| "supportLevel": "limitedSupport", | |
| "software_copyrightText": "copyright text", | |
| "software_attributionText": "other attribution text", | |
| "supportLevel": [ | |
| "limitedSupport" | |
| ], | |
| "software_copyrightText": "copyright text", | |
| "software_attributionText": [ | |
| "other attribution text" | |
| ], |
| "simpleLicensing_licenseExpression": "MIT", | ||
| "simpleLicensing_licenseListVersion": "3.23.0" |
There was a problem hiding this comment.
| "simpleLicensing_licenseExpression": "MIT", | |
| "simpleLicensing_licenseListVersion": "3.23.0" | |
| "simplelicensing_licenseExpression": "MIT", | |
| "simplelicensing_licenseListVersion": "3.23.0" |
| "software_homepage": "website for the Package/1" | ||
| }, | ||
| { | ||
| "type": "simpleLicensing_LicenseExpression", |
There was a problem hiding this comment.
| "type": "simpleLicensing_LicenseExpression", | |
| "type": "simplelicensing_LicenseExpression", |
| "builtTime": "2024-05-06T00:00:00Z", | ||
| "releaseTime": "2024-05-06T00:00:00Z", | ||
| "validUntilTime": "2034-05-06T00:00:00Z", | ||
| "supportLevel": "limitedSupport", |
There was a problem hiding this comment.
| "supportLevel": "limitedSupport", | |
| "supportLevel": [ | |
| "limitedSupport" | |
| ], |
| "software_homepage": "website for the Package/1" | ||
| }, | ||
| { | ||
| "type": "simpleLicensing_LicenseExpression", |
There was a problem hiding this comment.
| "type": "simpleLicensing_LicenseExpression", | |
| "type": "simplelicensing_LicenseExpression", |
| "specVersion": "3.0.0", | ||
| "comment": "if any", | ||
| "created": "2024-05-06T00:00:00Z", | ||
| "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" |
There was a problem hiding this comment.
| "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" | |
| "createdBy": [ | |
| "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" | |
| ] |
| "specVersion": "3.0.0", | ||
| "comment": "if any", | ||
| "created": "2024-05-07T00:00:00Z", | ||
| "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" |
There was a problem hiding this comment.
| "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" | |
| "createdBy": [ | |
| "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" | |
| ] |
| "externalIdentifier": { | ||
| "type": "ExternalIdentifier", | ||
| "externalIdentifierType": "email", | ||
| "identifier": "[email protected]" | ||
| } |
There was a problem hiding this comment.
| "externalIdentifier": { | |
| "type": "ExternalIdentifier", | |
| "externalIdentifierType": "email", | |
| "identifier": "[email protected]" | |
| } | |
| "externalIdentifier": [ | |
| { | |
| "type": "ExternalIdentifier", | |
| "externalIdentifierType": "email", | |
| "identifier": "[email protected]" | |
| } | |
| ] |
| "builtTime": "2024-05-06T00:00:00Z", | ||
| "releaseTime": "2024-05-06T00:00:00Z", | ||
| "validUntilTime": "2034-05-06T00:00:00Z", | ||
| "supportLevel": "limitedSupport", |
There was a problem hiding this comment.
| "supportLevel": "limitedSupport", | |
| "supportLevel": [ | |
| "limitedSupport" | |
| ], |
| "validUntilTime": "2034-05-06T00:00:00Z", | ||
| "supportLevel": "limitedSupport", | ||
| "software_copyrightText": "copyright text", | ||
| "software_attributionText": "other attribution text", |
There was a problem hiding this comment.
| "software_attributionText": "other attribution text", | |
| "software_attributionText": [ | |
| "other attribution text" | |
| ], |
| "specVersion": "3.0.0", | ||
| "comment": "if any", | ||
| "created": "2024-05-06T00:00:00Z", | ||
| "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" |
There was a problem hiding this comment.
| "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" | |
| "createdBy": [ | |
| "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" | |
| ] |
| "specVersion": "3.0.0", | ||
| "comment": "if any", | ||
| "created": "2024-05-07T00:00:00Z", | ||
| "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" |
There was a problem hiding this comment.
| "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" | |
| "createdBy": [ | |
| "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" | |
| ] |
| "specVersion": "3.0.0", | ||
| "comment": "if any", | ||
| "created": "2024-05-08T00:00:00Z", | ||
| "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" |
There was a problem hiding this comment.
| "createdBy": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" | |
| "createdBy": [ | |
| "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Agent/NorioKobota" | |
| ] |
| "externalIdetifier": { | ||
| "type": "ExternalIdentifier", | ||
| "externalIdentifierType": "cve", | ||
| "identifier": "CVE-1234-1234", | ||
| "comment": "must" | ||
| }, |
There was a problem hiding this comment.
| "externalIdetifier": { | |
| "type": "ExternalIdentifier", | |
| "externalIdentifierType": "cve", | |
| "identifier": "CVE-1234-1234", | |
| "comment": "must" | |
| }, | |
| "externalIdetifier": [ | |
| { | |
| "type": "ExternalIdentifier", | |
| "externalIdentifierType": "cve", | |
| "identifier": "CVE-1234-1234", | |
| "comment": "must" | |
| } | |
| ], |
| ``` | ||
|
|
||
| ## Comments | ||
| There is no property to describe "2.2.1 Document ID" in [Minimum Requirements for Vulnerability Exploitability eXchange (VEX)](https://www.cisa.gov/resources-tools/resources/minimum-requirements-vulnerability-exploitability-exchange-vex) in the current SPDX3.0 specification. |
There was a problem hiding this comment.
| There is no property to describe "2.2.1 Document ID" in [Minimum Requirements for Vulnerability Exploitability eXchange (VEX)](https://www.cisa.gov/resources-tools/resources/minimum-requirements-vulnerability-exploitability-exchange-vex) in the current SPDX3.0 specification. | |
| There is no property to describe "2.2.1 Document ID" in | |
| [Minimum Requirements for Vulnerability Exploitability eXchange (VEX)](https://www.cisa.gov/resources-tools/resources/minimum-requirements-vulnerability-exploitability-exchange-vex) | |
| in the current SPDX 3.0 specification. |
We implemented three samples that show how to use Lite Profile.
We would appriciate your review.