Comments (3)
@maxhbr Good question. This is very related to a long running debate on how to treat serialization level information in the document.
Parsing implies that there is a deserialization going on of something that was serialized - let's call that an SPDXDocument for the purpose of this comment.
If the SPDXDocument has creation information and that creation information would represent the intent of the SPDXDocument creator . The profile field in the SPDXDocument element could be used to guide the deserialization and would give you the answer in a very straightforward and high performance manner (e.g. you don't have to interpret each element and try to reverse engineer the profiles based on type etc.).
In the current model diagram - the "collection -> SpdxCollection?" class could be used for that purpose since it already contains information specific to the serialization.
This approach isn't as powerful as interpreting each individual element since each element could conceivably have a different profile, but I would find this approach to be rather difficult to implement.
from spdx-3-model.
Parsing implies that there is a deserialization going on of something that was serialized - let's call that an SPDXDocument for the purpose of this comment.
Yes, the assumption is that a SBOM was serialized to a json and its abbreviated version is above.
If the SPDXDocument has creation information and that creation information would represent the intent of the SPDXDocument creator .
This creationInfo just contains "profile": ["core"],
and nothing else. (Probably this is wrong and should be ["core", "software"]
as it contains a SBOM. (->#43) ). But I do not see anything else that would help me to interpret the document.
from spdx-3-model.
another example:
There was the statement, that one can basically parse a SPDX document that implements an unknown profile by just skipping unknown properties.
Lets imagine a NPM profile that is unknown:
And a corresponding document (based on example in model) could look like:
{
"@type": "SBOM",
"@id": "urn:spdx.dev:null-sbom",
"creationInfo": {
"specVersion": "3.0",
"created": "2022-05-02T20:28:00.000Z",
"profile": ["core","software","NPM"],
"dataLicense": "CC0",
"createdBy": ["urn:spdx.dev:iamwillbar"]
},
"rootElements": ["urn:spdx.dev:spdx-tools-3.0.1"],
"externalMap": [
{"elementId": "urn:spdx.dev:project", "elementURL": "", "verifiedUsing": []},
{"elementId": "urn:spdx.dev:doc", "elementURL": "https://spdx.dev/docs/v1.0.json", "verifiedUsing": [{@type: "Hash", }]}
],
"elements": [
{
"@type": "NPMPackage",
"@id": "urn:spdx.dev:time-0.12.0",
"packagePurpose": "APPLICATION",
"NpmHome": "https://www.npmjs.com/package/time",
"downloadLocation": "https://spdx.dev/downlods/spdx-tools-3.0.1.tgz",
"homePage": "https://spdx.dev/tools/3.0",
"originator": ["urn:spdx.dev:project"],
"externalIdentifiers": [
{"type": "ExternalReference", "externalReferenceType": "purl", "locator": ""},
{"type": "ExternalReference", "externalReferenceType": "cpe22", "locator": ""}
],
"verifiedUsing": [
{"type": "Hash", "hashAlgorithm": "SHA256", "hashValue": "..."}
]
},
{
"@type": "PackageJSON",
"@id": "...",
"elements": ["urn:spdx.dev:time-0.12.0"],
"lockFile": ...
}
]
}
And as someone not knowing the NPM profile I am not able to parse the SBOM and get the software part without NPM out of that.
from spdx-3-model.
Related Issues (20)
- In page https://spdx.github.io/spdx-spec/v3.0/model/Licensing/Licensing/ the lists are not displayed correctly. HOT 3
- Doc: Possible outdated references to gh-pages and auto-generated in README.md HOT 2
- Delete gh-pages for the spdx-3-model
- License list version is still not SemVer HOT 5
- Does the specVersion include a PATCH version?
- ProfileIdentifierType list HOT 1
- What does "IRI ``" mean? HOT 6
- Have Markdown lint runs after commit HOT 1
- 3.1: Dataset: Add a "language" field
- rootElement: SBOM or BOM? HOT 1
- Where are the SPDX Matching Guidelines? HOT 6
- Where is the "Legacy Text Template format section"? HOT 2
- Vocabulary entries should be single-line
- AI: Not clear what 'energyQuantity' means HOT 5
- AI: 'energyConsumption', 'finetuningEnergyConsumption', 'inferenceEnergyConsumption' would vary so is it correct to record them? HOT 1
- AI: hyperparameter, metric, metricDecisionThreshold - can be multiple. Property talks about only one. HOT 9
- AI: 'modelExplainability' summary and description should be modified HOT 2
- AI: 'trainingEnergyConsumption' is duplicate of 'energyConsumption' HOT 1
- AI: Need comprehensive strategy for addressing security related parameters for AI systems HOT 1
- Core: Need class 'Dictionary' for listing multiple key-value pairs HOT 8
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spdx-3-model.