SpdxDocument examples

David Kemp

On July 18 I emailed an example JSON array (not map) "spdx document" (transfer unit) containing six elements created by "Acme":
  • two files
  • one package
  • one relationship between files and package
  • one identity for the creator of the elements (Acme) - not the creator of the package (Gnu)
  • the sbom that is the collection of the other five elements
That is attached as transfer-unit-a.json.  Notably, it does NOT include a collection element that describes the transfer unit.  The root of the transfer unit is a single object that is not an element.

In the logical model it would be a DataType on the right side of the diagram with something like the following structure:

TransferUnit = Record                       // Serialized collection of Element values
   1 namespace        IRI                   // Default namespace for Element ids in this file (rdf BASE)
   2 namespaceMap     NamespaceMap optional // Namespace abbreviations (rdf PREFIX)
   3 createdBy        Link(Element) [1..*]  // default: Link(Actor): set of identifiers
   4 created          DateTime              // default
   5 specVersion      SemVer                // default
   6 profiles         ProfileIdentifier [1..*]  // default
   7 dataLicense      LicenseId             // default
   8 elementValues    Element [1..*]        // Element values serialized in this file (defined or copied)
   9 spdxDocumentId   Link(Element) optional  // Optional SpdxDocument element that describes this file
  10 spdxDocumentRefs Link(Element) [0..*]    // SpdxDocument elements that describe referenced files

Next, "Baker" wants to create an SBOM that references elements defined in Acme's SBOM.  To do that, Baker needs to create an SpdxDocument element that describes the transfer unit created by Acme.

Baker's transfer unit (transfer-unit-b.json) contains four element values:
  • Baker's package (widget)
  • Baker's id
  • Baker's SBOM for widget, listing the four element IRIs in the SBOM
    • baker package,
    • baker id,
    • acme package
    • acme id
  • Baker's SpdxDocument element describing Acme's transfer unit
If Acme created the first transfer unit to be used as a file, he would have included an SpdxDocument element covered by Acme's signature.  Instead, he created the file for the sole purpose of uploading the six SBOM elements into an Element Store.  The file(s) used to perform the transfer are irrelevant and don't need to be memorialized as SpdxDocument elements, and the file(s) are discarded after the transfer is complete.

I'm still working on the software to split a transfer unit into individual elements and combine individual elements into a transfer unit, so they aren't guaranteed to be perfect.  They should be close.