THE SPDX WIKI IS NO LONGER ACTIVE. ALL CONTENT HAS BEEN MOVED TO https://github.com/spdx

Technical Team/Minutes/2020-09-08

From SPDX Wiki
Jump to: navigation, search

September 8, 2020

Attendees

  • Thomas Steenbergen
  • Nisha Kumar
  • Gary O’Neall
  • David Kemp
  • William Bartholomew
  • Jim Hutchison
  • Steve Winslow

Topics:

  • How do we best proceed on documenting the different profiles
  • Core 3T SBOM comparison

Core 3T SBOM comparison

  • Comparison of Core 3T model to Core SPDX model
  • Slides available at https://docs.google.com/presentation/d/1dvGeCAbOUSD5qFQ6mt1WsnBEZvatnonYpKGdAQCIWZg/edit#slide=id.g95424fd354_0_0 (NOTE: presentation starts a slide 8)
  • Similar models
  • Proposed changes to SPDX
    • Identity – add structured email field, add structured tool information
  • Relationship
    • Subclass of element – adds ID
    • add completeness enum
      • Should completeness be put in a separate profile?
      • General consensus on the call 95% of use cases will not use this so should be added as a profile
      • Agreed to defer the decision until Kate is on the call – Kate has been working with NTIA on this
      • David raised the point that completeness is an optional enumeration and may not complicate the model
      • Desire to simplify by reducing the number of field definitions
    • Make the object independent of the 2 items being related
  • Package URL more fundamental – mandatory unique identifier
    • Expanded the URL to be and ArtifactURL – superset of PackageURL which can include other types of artifacts including hardware etc.
    • concern about representing non-public package distribution; PURL may not be mature enough for all use cases
      • add to the PURL or ArtifactURL if it is missing
      • Software heritage approach could be another alternative – less human readable
      • Could we use the SPDX reference ID as a package URL
  • Additional HASH algorithms
  • Suggestion to create examples for various scenarios (e.g. here’s the source repository a binary artifact was built from)
  • Suggest that we also have “bad examples”
  • Nisha created a mock-up for a container as part of defining the linking profile
    • Describing the relationships between layers, manifests can be complicated
    • Difficulty in representing URL for container metadata
    • Dynamic systems that re-generate the artifacts
    • Proposal that the SBOM travel with the artifacts in the distributed systems

How to document different profiles

  • ran out of time for this topic – moved to next week

Next Week

  • Linkage profile update
  • Nisha to present challenges with adapting to the container / container registry work
  • How to document different profiles