THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Difference between revisions of "GSOC/GSOC ProjectIdeas"

From SPDX Wiki
Jump to: navigation, search
m (Skills Needed)
(Add Golang RDF Saver project)
 
(34 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
<br />
 
<br />
  
<span style="font-size:150%">'''Welcome to the 2020 SPDX Google Summer of Code Project Page'''</span>
+
<span style="font-size:150%">'''Welcome to the 2022 SPDX Google Summer of Code Project Page'''</span>
  
 
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.
 
See the [https://rtgdk.github.io/spdx-gsoc-proposal.html proposal template] if you are interested in submitting a Google Summer of Code proposal.
Line 41: Line 41:
 
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]
 
* [https://lists.spdx.org/mailman/listinfo/spdx-tech SPDX tech mailing list]
  
=Proposed 2020 Projects=
+
= Ideas for 2022 Projects =
  
Mentors:  please fill out the following template for any projects you wish to propose.  
+
== SBOM Conformance Checker ==
 +
The goal of this project is to create a simple tool that
 +
checks whether an SBOM (in SPDX format)
 +
conforms to NTIA's minimum elements guidance.
 +
=== Description ===
 +
The SPDX Specification defines a number of fields (elements) that may appear in an SBOM (Software Bill of Materials).
 +
Not all of them are mandatory, however, so SBOMs in SPDX format can vary greatly.
  
=== Project Name ===
+
While researching the attributes that have to be present in an SBOM,
add overview of project here
+
NTIA came up with a guidance about the minimum elements that must appear therein:
====Skills Needed====
+
https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf
what skills should the student have to do the coding exercises
+
====Background Information====
+
context for the project and references to be studied
+
====Available Mentors====
+
list individuals who are willing to mentor and provide information about the project proposal.  
+
  
(The projects from last year can be found on the [https://summerofcode.withgoogle.com/organizations/4532099550281728/#5727887162867712 2019 Google Summer of Code projects page for SPDX] ).
+
It would, therefore, be useful to have a tool that can determine whether an SBOM stored in SPDX format
 +
fulfills all such minimum obligations.
  
==SPDX Workgroup Tooling Projects==  
+
The tool should make use of the already existing libraries for reading SPDX documents
These projects are aimed at contributing to the SPDX tools to help reduce the effort to create SPDX documents and increase the accuracy of them.
+
=== Technologies ===
 +
Python
 +
=== Duration ===
 +
This will be a short (175 hours) project.
 +
It might be extended to a long (350 hours) project if integration
 +
with the existing SPDX handling tools (e.g., the Validation tool)
 +
is also implemented.
 +
=== Mentors ===
 +
Dick Brooks, Kate Stewart
  
===Implement SPDX License Matching in Python===
+
== Private license management system ==
Implement as much of the SPDX License Matching Guidelines as practical in Python.  This could replace the current Java implementation for the [http://13.57.134.254/app/check_license/ Check License] SPDX Online license checking tool.
+
A web-based system for managing license texts; similar to the SPDX License List but oriented towards other private collections of licenses.
 +
=== Description ===
 +
The goal of the project would be to create a simple web application
 +
for people to upload license texts
 +
and automatically create a license repository.
 +
The initial rough "functional specifications" describe it as
 +
mainly an input form, where the information is entered.
 +
There will be some automatic processing (e.g., canonicalization, duplicate avoidance, etc.),
 +
a review/approval (and naming) step,
 +
and then publishing in a specified format.
  
Following is a list of suggested features:
+
It should be noted that the specification is not yet finalized
* Provide an interface which will check text against a license template using the license matching guidelines
+
regarding naming namespaces, way to publish licenses, etc.
* Provide an interface which will check text and return all matching SPDX listed license ID's
+
If the SPDX project has already advanced in these definitions,
* Provide an interface which takes 2 license texts as input and returns a boolean indicating if the 2 licenses match per the license matching guidelines
+
this project will obviously implement the decisions taken.
* When there is not a match, provide a return value making it possible to describe where and why the license does not match
+
=== Technologies ===
 +
Python (any framework) for the back-end; JavaScript (any framework) for the minimal front-end.
 +
=== Duration ===
 +
This can be either a short (175 hours) project, implementing only the basic functionality;
 +
or a long (350 hours) one, implementing more functionality and automation.
 +
=== Mentors ===
 +
Alexios Zavras; more TBD
  
====Background Information====
+
== SBOM combiner ==
* See the [https://spdx.org/spdx-license-list/matching-guidelines SPDX License Matching Guidelines] for a description of the guidelines
+
The project will result in a simple command-line tool that will be able to “combine” information from a number of SBOMs into a comprehensive SBOM that includes all the information of the provided ones.
* A technical description of the templates and license matching can be found in [https://spdx.org/spdx-specification-21-web-version#h.2mjng0vqrghe Appendix II] of the SPDX specification
+
An actual use case would be the generation of an SBOM for an actual software delivery that is comprised by a number of components, each one of which has its own correct SBOM.
* A Java implementation can be found in Github [https://github.com/spdx/tools/blob/master/src/org/spdx/compare/LicenseCompareHelper.java SPDX Tools LicenseCompareHelper.java]
+
=== Description ===
* It's harder than you may think - the template language is a challenge to implement. Performance can be a challenge when matching a single text against hundreds of potential licenses. Reporting back where the missmatch occurs can also be a challenge.
+
The primary purpose of this tool would be
 +
to stitch together smaller component-level SPDX documents
 +
and amalgamate them into one top-level SPDX document
 +
representing a "sum of parts" piece of software.
 +
As an initial pass for implementation, the component-level SBOMs would have to be provided by the caller
 +
until the tool was advanced enough to fetch SPDX Documents referenced by ExternalDocumenRef reliably.  
 +
=== Technologies ===
 +
Python (preferably); or Go.
 +
=== Duration ===
 +
This will be a short (175 hours) project.
 +
=== Mentors ===
 +
Rose Judge; others TBD
  
====Skills Needed====
+
== Update of Java SPDX libraries to handle latest spec ==
* Development skills in the Python
+
=== Description ===
* Skills in parsing and pattern matching
+
The SPDX Project maintains a library, written in Java, for working with SPDX data.
* Ability to work with the community in integrating results with other projects
+
The development of the library does not always follow the development of the specification immediately.
 +
Since the specification has evolved
 +
and a newer version is expected to be published
 +
right before the timeframe of the project,
 +
it would be useful to have the standard Java libraries
 +
capable of handling the latest spec.
  
====Available Mentors====
+
The project will involve obviously understanding deeply
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]
+
the existing libraries
 +
and extending them to handle the latest additions
 +
of the specification (to the point of the published version).
 +
=== Technologies ===
 +
Java; see https://github.com/spdx/Spdx-Java-Library
 +
=== Duration ===
 +
This will be a short (175 hours) project.
 +
=== Mentors ===
 +
TBD
  
=== Generate Java SPDX Model Classes from XML XSD file ===
+
== Update of Go SPDX libraries to handle latest spec ==
In SPDX 3.0, we will be generating an XML XSD schema to define the model. This project idea is to use the XSD schema to generate a set of Java classes which represent the complete SPDX model.  The generated classes would be used as part of a re-designed Java tool for SPDX.  
+
=== Description ===
+
The SPDX Project maintains a library, written in Go, for working with SPDX data.
====Skills Needed====
+
The development of the library does not always follow the development of the specification immediately.
* Java programming skills
+
Since the specification has evolved
* XML/XSD skills
+
and a newer version is expected to be published
* Skills in code generation practices
+
right before the timeframe of the project,
* Ability to work with the community in integrating results with other projects
+
it would be useful to have the standard Go libraries
 +
capable of handling the latest spec.
  
====Background Information====
+
The project will involve obviously understanding deeply
* A proposed XSD for SPDX can be found on [https://github.com/mil-oss/spdx-xsd github].  Note: This is a very early proposal and would likely change significantly.
+
the existing libraries
* Current Java tools can be found on [https://github.com/spdx/tools SPDX Tools github page]
+
and extending them to handle the latest additions
* A rewrite of the Java tools is in progress.  The in progress work can be found at the [https://github.com/goneall/Spdx-Java-Library Spdx-Java-Library] github page.
+
of the specification (to the point of the published version).
 +
=== Technologies ===
 +
Go; see https://github.com/spdx/tools-golang
 +
=== Duration ===
 +
This will be a short (175 hours) project.
 +
=== Mentors ===
 +
TBD
  
====Available Mentors====
+
== SPDX Golang RDF Saver ==
[mailto:rohit.lodhartg@gmail.com Rohit Lodha] [mailto:gary@sourceauditor.com Gary O'Neall]
+
=== Description ===
 +
SPDX already has a Golang library to save RDF triples into a file/string
 +
using the gordf project: https://github.com/spdx/gordf
  
=== Validate License Cross-References ===
+
The aim of this GSoC project would be to write an adapter in the
Enhance the SPDX LicenseListPublisher to validate the cross reference / seeAlso URL's for the license. One check would be to validate the link is still valid.  This would need to be done in a way that has reasonably good performance (e.g. a long timeout would not work).  Another check would be to identify the license text in the linked URL and compare it to the license text for the license itself to make sure they match. If either of these tests fail, a validity attribute should be added to the license output files (e.g. the license JSON files).
+
SPDX Golang Tools (the tools-golang repository at https://github.com/spdx/tools-golang) that
 +
would take an SPDX Document struct (see https://github.com/spdx/tools-golang/blob/main/spdx/document.go) as
 +
an input, and serialize it and its child elements into RDF triples to be consumed by the
 +
aforementioned gordf rdf-writer.
 +
=== Technologies ===
 +
Golang; RDF
 +
=== Duration ===
 +
This will be a short (175 hours) project. If the project requires less than 175 hours, remaining time can be spent on
 +
additional improvements to the Golang tools.
 +
=== Mentors ===
 +
Rishabh Bhatnagar; Steve Winslow as secondary / backup
  
====Skills Needed====
 
* Java programming skills
 
* XML/XSD skills
 
* HTML parsing skills
 
* Ability to work with the community in integrating results with other projects
 
  
====Background Information====
+
== Update of Python SPDX libraries to handle latest spec ==
The [https://spdx.org/licenses/ SPDX license list] is generated from a [https://github.com/spdx/license-list-XML git repository of XML files].  One of the fields maintained in the XML is the crossRef which is a URL cross reference for the license which may be valid or it may also be a "dead link".  The [https://github.com/spdx/LicenseListPublisher LicenseListPublisher] is the tool that generates the web pages and the output formats.  The output formats can be found in the [https://github.com/spdx/license-list-data SPDX license list data] git repository.  [https://github.com/spdx/LicenseListPublisher/issues/60#issuecomment-570511697 Issue #60] for the LicenseListPublisher describes a request to include validity attribute.
+
=== Description ===
 +
The SPDX Project maintains a library, written in Python, for working with SPDX data.
 +
The development of the library does not always follow the development of the specification immediately.
 +
Since the specification has evolved
 +
and a newer version is expected to be published
 +
right before the timeframe of the project,
 +
it would be useful to have the standard Python libraries
 +
capable of handling the latest spec.
  
Over the summer, we may be adding the XML format to the supported output data formats in the license list data repo.
+
The project will involve obviously understanding deeply
 +
the existing libraries
 +
and extending them to handle the latest additions
 +
of the specification (to the point of the published version).
 +
=== Technologies ===
 +
Python; see https://github.com/spdx/tools-python
 +
=== Duration ===
 +
This will be a short (175 hours) project.
 +
=== Mentors ===
 +
TBD
  
====Available Mentors====
 
[mailto:gary@sourceauditor.com Gary O'Neall]
 
  
=== Improve SPDX Golang tooling ===
+
== More to come... ==
The goal of this GSoC project would be to add support in the [https://github.com/spdx/tools-golang SPDX Golang tools] for SPDX documents in versions of the SPDX spec other than 2.1, including the upcoming 2.2 spec release which will add JSON, YAML and XML to the supported formats. Other work may include improving the validation and data model used by the Golang tools.
+
Mentors:  please fill out the following template for any projects you wish to propose.  
  
====Skills Needed====
+
=== Project Name ===
* Go programming skills
+
add overview of project here
* Experience with JSON and YAML (XML a plus)
+
====Skills Needed====
* Ability to interpret and implement the SPDX specification and related community documentation
+
what skills should the student have to do the coding exercises
* Ability to work with the community in integrating results with other projects
+
====Duration===
* Willingness to learn about open source licensing and related technical matters
+
whether this is a short or a long project
 
+
====Background Information====
====Background Information====
+
context for the project and references to be studied
The [https://github.com/spdx/tools-golang SPDX Golang tools] were initially designed to work with SPDX documents in tag-value format, for version 2.1 of [https://spdx.org/specifications the SPDX specification]. Currently it does not support earlier versions of the SPDX specification. Also, [https://github.com/spdx/spdx-spec/milestone/2 the upcoming 2.2 spec release], in addition to new data fields, will also add support for SPDX documents in JSON, YAML and XML formats. The Golang tools should (at a minimum) be updated to enable reading and writing in JSON and YAML.
+
====Available Mentors====
 
+
list individuals who are willing to mentor and provide information about the project proposal.
The SPDX Golang tools currently do some validation when reading and parsing SPDX documents, but they do not currently do much validation of the content itself. For example, license fields are represented as strings, but the tools do not currently check to confirm that e.g. the license identifiers are valid SPDX license expressions. Additional validation support to improve this would be beneficial.
+
 
+
Additionally, the [https://github.com/spdx/tools-golang/tree/master/spdx data model used internally by the SPDX tools] to represent SPDX content is different in some ways from the data model used by other tools (e.g. [https://github.com/spdx/tools/tree/master/src/org/spdx/rdfparser/model Java], [https://github.com/spdx/tools-python/tree/master/spdx Python]). One goal for this project might be to evaluate the choices made by those other tools, and consider whether the Golang tools' data model should change to align with those.
+
 
+
====Available Mentors====
+
[mailto:swinslow@linuxfoundation.org Steve Winslow]
+
  
==SPDX Specification Projects==
+
= Historical info =
The following projects contribute directly to the creation or validation of the SPDX 2.1 specification.
+
  
=== SPDX Specification Views for legal counsels and developers ===
+
[[GSOC/PastProjectIdeas]]
The proposal is to see if it possible to deduct large SPDX documents into a small subset SPDX document providing a specific reduced "views" on larger data.
+
====Skills Needed====
+
* Understanding of compliance needs of legal counsels and developers so we can remove friction to adopt SPDX
+
====Background Information====
+
SPDX documents commonly contain 100s, if not 1000s of entries making it hard for a human to make manual corrections or draw conclusions. No scanner can provide 100% complete data human corrections are usual needed. The aim from this proposal is twofold:
+
1. Enable developers with a "code view" of tool-generated SPDX document close to the code they work on to enable them to make corrections to the SPDX data. For instance amend SPDX package tag values or model package dependencies not detected by used scanner.
+
2. Provide legal counsels with a "package and limited file view" to enable legal conclusions
+
====Available Mentors====
+
[mailto:swinslow@linuxfoundation.org Steve Winslow]
+
[mailto:thomas.steenbergen@here.com Thomas Steenbergen]
+

Latest revision as of 17:36, 31 March 2022


Welcome to the 2022 SPDX Google Summer of Code Project Page

See the proposal template if you are interested in submitting a Google Summer of Code proposal.

Should you have questions please do not hesitate to contact one of the mentors directly.



What is SPDX ?

First and foremost we are a community dedicated to solving the issues and problems around Open Source licensing and compliance. The SPDX work group (part of the Linux Foundation) consists of individuals, community members, and representatives from companies, foundations and organizations who use or are considering using the SPDX standard. The work group operates much like a meritocratic, consensus-based community project; that is, anyone with an interest in the project can join the community, contribute to the specification, and participate in the decision-making process. We come from many different backgrounds including open source developers, lawyers, consultants and business professionals, many of who have been involved with license compliance and identification for years.

As part of this effort we have developed a set of collateral that can be used:

Why choose an SPDX Project?

Contributing to one of the SPDX projects below will provide a valuable contribution to developers and/or users of open source software. We believe you will find the projects both technically challenging and rewarding. In essence we believe you will be able to look back one day and I say I was part of that effort.


Getting Involved

Beyond working with your mentor(s) we highly encourage students who select one of these projects to get involved with the SPDX community via our technical working group. Interaction with the technical team is primarily done via its mailing list and on gitter (see resources). There is however a weekly call you could join as well. .

Resources

Ideas for 2022 Projects

SBOM Conformance Checker

The goal of this project is to create a simple tool that checks whether an SBOM (in SPDX format) conforms to NTIA's minimum elements guidance.

Description

The SPDX Specification defines a number of fields (elements) that may appear in an SBOM (Software Bill of Materials). Not all of them are mandatory, however, so SBOMs in SPDX format can vary greatly.

While researching the attributes that have to be present in an SBOM, NTIA came up with a guidance about the minimum elements that must appear therein: https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf

It would, therefore, be useful to have a tool that can determine whether an SBOM stored in SPDX format fulfills all such minimum obligations.

The tool should make use of the already existing libraries for reading SPDX documents

Technologies

Python

Duration

This will be a short (175 hours) project. It might be extended to a long (350 hours) project if integration with the existing SPDX handling tools (e.g., the Validation tool) is also implemented.

Mentors

Dick Brooks, Kate Stewart

Private license management system

A web-based system for managing license texts; similar to the SPDX License List but oriented towards other private collections of licenses.

Description

The goal of the project would be to create a simple web application for people to upload license texts and automatically create a license repository. The initial rough "functional specifications" describe it as mainly an input form, where the information is entered. There will be some automatic processing (e.g., canonicalization, duplicate avoidance, etc.), a review/approval (and naming) step, and then publishing in a specified format.

It should be noted that the specification is not yet finalized regarding naming namespaces, way to publish licenses, etc. If the SPDX project has already advanced in these definitions, this project will obviously implement the decisions taken.

Technologies

Python (any framework) for the back-end; JavaScript (any framework) for the minimal front-end.

Duration

This can be either a short (175 hours) project, implementing only the basic functionality; or a long (350 hours) one, implementing more functionality and automation.

Mentors

Alexios Zavras; more TBD

SBOM combiner

The project will result in a simple command-line tool that will be able to “combine” information from a number of SBOMs into a comprehensive SBOM that includes all the information of the provided ones. An actual use case would be the generation of an SBOM for an actual software delivery that is comprised by a number of components, each one of which has its own correct SBOM.

Description

The primary purpose of this tool would be to stitch together smaller component-level SPDX documents and amalgamate them into one top-level SPDX document representing a "sum of parts" piece of software. As an initial pass for implementation, the component-level SBOMs would have to be provided by the caller until the tool was advanced enough to fetch SPDX Documents referenced by ExternalDocumenRef reliably.

Technologies

Python (preferably); or Go.

Duration

This will be a short (175 hours) project.

Mentors

Rose Judge; others TBD

Update of Java SPDX libraries to handle latest spec

Description

The SPDX Project maintains a library, written in Java, for working with SPDX data. The development of the library does not always follow the development of the specification immediately. Since the specification has evolved and a newer version is expected to be published right before the timeframe of the project, it would be useful to have the standard Java libraries capable of handling the latest spec.

The project will involve obviously understanding deeply the existing libraries and extending them to handle the latest additions of the specification (to the point of the published version).

Technologies

Java; see https://github.com/spdx/Spdx-Java-Library

Duration

This will be a short (175 hours) project.

Mentors

TBD

Update of Go SPDX libraries to handle latest spec

Description

The SPDX Project maintains a library, written in Go, for working with SPDX data. The development of the library does not always follow the development of the specification immediately. Since the specification has evolved and a newer version is expected to be published right before the timeframe of the project, it would be useful to have the standard Go libraries capable of handling the latest spec.

The project will involve obviously understanding deeply the existing libraries and extending them to handle the latest additions of the specification (to the point of the published version).

Technologies

Go; see https://github.com/spdx/tools-golang

Duration

This will be a short (175 hours) project.

Mentors

TBD

SPDX Golang RDF Saver

Description

SPDX already has a Golang library to save RDF triples into a file/string using the gordf project: https://github.com/spdx/gordf

The aim of this GSoC project would be to write an adapter in the SPDX Golang Tools (the tools-golang repository at https://github.com/spdx/tools-golang) that would take an SPDX Document struct (see https://github.com/spdx/tools-golang/blob/main/spdx/document.go) as an input, and serialize it and its child elements into RDF triples to be consumed by the aforementioned gordf rdf-writer.

Technologies

Golang; RDF

Duration

This will be a short (175 hours) project. If the project requires less than 175 hours, remaining time can be spent on additional improvements to the Golang tools.

Mentors

Rishabh Bhatnagar; Steve Winslow as secondary / backup


Update of Python SPDX libraries to handle latest spec

Description

The SPDX Project maintains a library, written in Python, for working with SPDX data. The development of the library does not always follow the development of the specification immediately. Since the specification has evolved and a newer version is expected to be published right before the timeframe of the project, it would be useful to have the standard Python libraries capable of handling the latest spec.

The project will involve obviously understanding deeply the existing libraries and extending them to handle the latest additions of the specification (to the point of the published version).

Technologies

Python; see https://github.com/spdx/tools-python

Duration

This will be a short (175 hours) project.

Mentors

TBD


More to come...

Mentors: please fill out the following template for any projects you wish to propose.

=== Project Name ===
add overview of project here
====Skills Needed====
what skills should the student have to do the coding exercises
====Duration===
whether this is a short or a long project
====Background Information====
context for the project and references to be studied
====Available Mentors====
list individuals who are willing to mentor and provide information about the project proposal.

Historical info

GSOC/PastProjectIdeas