Can one parse a JSON containing Elements extended by an unsupported / unknown profile? about spdx-3-model HOT 3 CLOSED

@maxhbr Good question. This is very related to a long running debate on how to treat serialization level information in the document.

Parsing implies that there is a deserialization going on of something that was serialized - let's call that an SPDXDocument for the purpose of this comment.

If the SPDXDocument has creation information and that creation information would represent the intent of the SPDXDocument creator . The profile field in the SPDXDocument element could be used to guide the deserialization and would give you the answer in a very straightforward and high performance manner (e.g. you don't have to interpret each element and try to reverse engineer the profiles based on type etc.).

In the current model diagram - the "collection -> SpdxCollection?" class could be used for that purpose since it already contains information specific to the serialization.

This approach isn't as powerful as interpreting each individual element since each element could conceivably have a different profile, but I would find this approach to be rather difficult to implement.

from spdx-3-model.

Parsing implies that there is a deserialization going on of something that was serialized - let's call that an SPDXDocument for the purpose of this comment.

Yes, the assumption is that a SBOM was serialized to a json and its abbreviated version is above.

If the SPDXDocument has creation information and that creation information would represent the intent of the SPDXDocument creator .

This creationInfo just contains "profile": ["core"], and nothing else. (Probably this is wrong and should be ["core", "software"] as it contains a SBOM. (->#43) ). But I do not see anything else that would help me to interpret the document.

from spdx-3-model.

another example:

There was the statement, that one can basically parse a SPDX document that implements an unknown profile by just skipping unknown properties.

Lets imagine a NPM profile that is unknown:

And a corresponding document (based on example in model) could look like:

{
  "@type": "SBOM",
  "@id": "urn:spdx.dev:null-sbom",
  "creationInfo": {
    "specVersion": "3.0",
    "created": "2022-05-02T20:28:00.000Z",
    "profile": ["core","software","NPM"],
    "dataLicense": "CC0",
    "createdBy": ["urn:spdx.dev:iamwillbar"]
  },
  "rootElements": ["urn:spdx.dev:spdx-tools-3.0.1"],
  "externalMap": [
    {"elementId": "urn:spdx.dev:project", "elementURL": "", "verifiedUsing": []},
    {"elementId": "urn:spdx.dev:doc", "elementURL": "https://spdx.dev/docs/v1.0.json", "verifiedUsing": [{@type: "Hash", }]}
  ],
  "elements": [
    {
      "@type": "NPMPackage",
      "@id": "urn:spdx.dev:time-0.12.0",
      "packagePurpose": "APPLICATION",
      "NpmHome": "https://www.npmjs.com/package/time",
      "downloadLocation": "https://spdx.dev/downlods/spdx-tools-3.0.1.tgz",
      "homePage": "https://spdx.dev/tools/3.0",
      "originator": ["urn:spdx.dev:project"],
      "externalIdentifiers": [
        {"type": "ExternalReference", "externalReferenceType": "purl", "locator": ""},
        {"type": "ExternalReference", "externalReferenceType": "cpe22", "locator": ""}
      ],
      "verifiedUsing": [
        {"type": "Hash", "hashAlgorithm": "SHA256", "hashValue": "..."}
      ]
    },
    {
      "@type": "PackageJSON",
      "@id": "...",
      "elements": ["urn:spdx.dev:time-0.12.0"],
      "lockFile": ...
    }
  ]
}

And as someone not knowing the NPM profile I am not able to parse the SBOM and get the software part without NPM out of that.

from spdx-3-model.