Date
1 - 4 of 4
SPDX v2.3 JSON schema diagram
|
Norio Kobota
Dear SPDX tech communities,
Thank you for providing a lot of useful documents about SPDX! We, OpenChain Japan SBOM-sg members, illustrated the v2.3 JSON schema a little easier to see. https://qiita.com/nori0428/items/b1892da6bd30ed6efff4 I hope you can check it and let me ask a question. We assume that v3.0 is also slightly different in model and implementation, so are there any discussions that are considering JSON schema for v3.0? Best regards, -- kobota @ OpenChain JWG SBOM-sg |
|
|
|
Norio,
toggle quoted message
Show quoted text
This is excellent work, thank you. I did not see the externalRefs SECURITY advisory object in the model, see Appendix K for examples; https://spdx.github.io/spdx-spec/v2.3/how-to-use/#k19-linking-to-an-sbom-vul nerability-report-for-a-software-product-per-nist-executive-order-14028 Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report! T http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788 -----Original Message-----
From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Norio Kobota Sent: Tuesday, March 14, 2023 5:17 AM To: spdx-tech@... Subject: [spdx-tech] SPDX v2.3 JSON schema diagram Dear SPDX tech communities, Thank you for providing a lot of useful documents about SPDX! We, OpenChain Japan SBOM-sg members, illustrated the v2.3 JSON schema a little easier to see. https://qiita.com/nori0428/items/b1892da6bd30ed6efff4 I hope you can check it and let me ask a question. We assume that v3.0 is also slightly different in model and implementation, so are there any discussions that are considering JSON schema for v3.0? Best regards, -- kobota @ OpenChain JWG SBOM-sg |
|
|
|
Norio Kobota
Hello Dick,
toggle quoted message
Show quoted text
Thank you for pointing out. I added the figure of externalDocumentRefs. https://qiita.com/nori0428/items/b1892da6bd30ed6efff4#externaldocumentrefs And as far as I've checked the current schema, https://github.com/spdx/spdx-spec/blob/development/v2.3.1/schemas/spdx-schema.json#L74-L110 there seems not to be any specifications for the SECURITY advisory object. e.g. referenceCategory, referenceLocator etc. I would appreciate it if you could check it. Best, -- kobota -----Original Message----- |
|
|
|
Norio,
toggle quoted message
Show quoted text
Thanks for your response. I refer you to the SPDX V2.3 spec for externalRef SECURITY https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-refe rence-field and https://spdx.github.io/spdx-spec/v2.3/external-repository-identifiers/#f23-a dvisory Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report! T http://www.reliableenergyanalytics.com Email: dick@... Tel: +1 978-696-1788 -----Original Message-----
From: Spdx-tech@... <Spdx-tech@...> On Behalf Of Norio Kobota Sent: Tuesday, March 14, 2023 7:51 PM To: dick@... Cc: spdx-tech@... Subject: Re: [spdx-tech] SPDX v2.3 JSON schema diagram Hello Dick, Thank you for pointing out. I added the figure of externalDocumentRefs. https://qiita.com/nori0428/items/b1892da6bd30ed6efff4#externaldocumentrefs And as far as I've checked the current schema, https://github.com/spdx/spdx-spec/blob/development/v2.3.1/schemas/spdx-schem a.json#L74-L110 there seems not to be any specifications for the SECURITY advisory object. e.g. referenceCategory, referenceLocator etc. I would appreciate it if you could check it. Best, -- kobota -----Original Message-----schema for v3.0?
|
|
|