From ab6c0bf12e5fbdb99abca89f99030bfee32a5c55 Mon Sep 17 00:00:00 2001 From: Simon Egli <4662005+Deadolus@users.noreply.github.com> Date: Fri, 29 Dec 2023 08:56:56 +0100 Subject: [PATCH 01/20] Converting links from spdx -> spdx2.2 --- software/example1/README.md | 2 +- software/example2/README.md | 6 +++--- software/example3/README.md | 4 ++-- software/example4/README.md | 2 +- software/example6/README.md | 6 +++--- 5 files changed, 10 insertions(+), 10 deletions(-) diff --git a/software/example1/README.md b/software/example1/README.md index 921d44a..284f008 100644 --- a/software/example1/README.md +++ b/software/example1/README.md @@ -14,7 +14,7 @@ content One [C source file](content/src/hello.c) with a simple "hello world" program, compiled into a [single binary](content/build/hello) with no dependencies via a [Makefile](content/src/Makefile). (Assumed dependencies such as the operating system kernel, C standard library, etc. are not addressed here.) -One [SPDX document](spdx/example1.spdx) showing the Makefile, source file and binary, together as a single package. +One [SPDX document](spdx2.2/example1.spdx) showing the Makefile, source file and binary, together as a single package. This assumes of course that all three files are in fact being distributed together as a single package. diff --git a/software/example2/README.md b/software/example2/README.md index b2462eb..216e01a 100644 --- a/software/example2/README.md +++ b/software/example2/README.md @@ -13,13 +13,13 @@ content The content is identical to [example1](../example1): one [C source file](content/src/hello.c) with a simple "hello world" program, compiled into a [single binary](content/build/hello) with no dependencies via a [Makefile](content/src/Makefile). -However, where example1 had a single SPDX document containing both source and binary, example2 instead has separate SPDX documents for [source](spdx/example2-src.spdx) and [binary](spdx/example2-bin.spdx). +However, where example1 had a single SPDX document containing both source and binary, example2 instead has separate SPDX documents for [source](spdx2.2/example2-src.spdx) and [binary](spdx2.2/example2-bin.spdx). This describes a scenario where binary and source are distributed separately, but where we want to be able to reflect the relationships between binary and source packages. ## Comments -Substantively, this is the same software as in [example1](../example). +Substantively, this is the same software as in [example1](../example1). However, here we are representing the sources and binaries as two separate Packages, on the assumption that we're distributing them separately. Because of this, the source Package and binary Package are described in two separate SPDX documents. @@ -31,6 +31,6 @@ Relationships across separate documents are handled via `DocumentRef-` tags, def Note that these external document references and relationships cannot be circular: one document can refer to the other, but (to my knowledge) they cannot refer circularly to each other. To reference another document in an ExternalDocumentRef definition, you need to specify its hash, so it isn't possible for two documents to refer to one another; each would need to modify its own contents based on the other's hash value. -In the [SPDX document for the binary](spdx/example2-bin.spdx), note how the Relationships at the end of the document include `DocumentRef-hello-src:` as a prefix. +In the [SPDX document for the binary](spdx2.2/example2-bin.spdx), note how the Relationships at the end of the document include `DocumentRef-hello-src:` as a prefix. This uses the `DocumentRef-` defined in the `ExternalDocumentRef` tag at the top of the document. This is the mechanism used to refer to SPDX identifiers for elements defined in other SPDX documents. diff --git a/software/example3/README.md b/software/example3/README.md index e548559..e514e7f 100644 --- a/software/example3/README.md +++ b/software/example3/README.md @@ -19,13 +19,13 @@ This file carries a BSD-3-Clause license. The other [contains a main function](content/src/main.c) which dynamically loads and uses the function from the library file. This file carries a GPL-3.0-or-later license. -As with example2, there are separate SPDX documents for [source](spdx/example3-src.spdx) and [binary](spdx/example3-bin.spdx). +As with example2, there are separate SPDX documents for [source](spdx2.2/example3-src.spdx) and [binary](spdx2.2/example3-bin.spdx). This describes a scenario where there are multiple binary files, and we want to represent the dependency and dynamic-linking relationship between the binary files. ## Comments -Note that the [binary SPDX document](spdx/example3-bin.spdx) includes the `RUNTIME_DEPENDENCY_OF` relationship between the main binary and the library binary. +Note that the [binary SPDX document](spdx2.2/example3-bin.spdx) includes the `RUNTIME_DEPENDENCY_OF` relationship between the main binary and the library binary. There are many different dependency types of Relationships defined in [v2.2 of the SPDX spec](https://spdx.github.io/spdx-spec/7-relationships-between-SPDX-elements/). We could have also used, e.g., `DEPENDENCY_OF` and/or `PREREQUISITE_FOR`. `RUNTIME_DEPENDENCY_OF` was chosen here because of the extra specificity that the library is 'required for the execution' of the main binary. diff --git a/software/example4/README.md b/software/example4/README.md index c48cc7f..98ae873 100644 --- a/software/example4/README.md +++ b/software/example4/README.md @@ -29,7 +29,7 @@ According to `readelf`, the example4 binary `main` relies on two shared librarie 0x0000000000000001 (NEEDED) Shared library: [libc.so.6] ``` -In [`example4-bin.spdx`](spdx/example4-bin.spdx), we can create Package Information sections for each of `libdl` and `libc`. +In [`example4-bin.spdx`](spdx2.2/example4-bin.spdx), we can create Package Information sections for each of `libdl` and `libc`. Keep in mind that these are _not_ files that are provided by the software distribution that the SPDX documents reflect: the `content/` directory does not contain libdl.so.2 or libc.so.6. Because they are not part of the software distribution that the SPDX document is primarily describing, there is _not_ a `DESCRIBES` relationship between the document and these shared libraries. diff --git a/software/example6/README.md b/software/example6/README.md index dedb1d3..2c20a1d 100644 --- a/software/example6/README.md +++ b/software/example6/README.md @@ -15,9 +15,9 @@ The content is identical to [example5](../example5). Nothing has changed -- in fact, the comments still refer to "Example 5" -- for illustration purposes, so that the file hashes are identical to those in Example 5. The differences are in the SPDX documents. -The [sources SPDX document](spdx/example6-src.spdx) is substantively identical to its Example 5 counterpart. -However, we've introduced [a new (third) SPDX document](spdx/example6-lib.spdx), this one describing the Go distribution used to build the Hello World program, along with Packages describing a small portion of its contents. -The [binary SPDX document](spdx/example6-bin.spdx) then includes Relationships describing how some portions of the Go distribution relate to the build results -- e.g., referencing the compiler used to build it, and the standard libraries that are incorporated into / statically linked with the binary. +The [sources SPDX document](spdx2.2/example6-src.spdx) is substantively identical to its Example 5 counterpart. +However, we've introduced [a new (third) SPDX document](spdx2.2/example6-lib.spdx), this one describing the Go distribution used to build the Hello World program, along with Packages describing a small portion of its contents. +The [binary SPDX document](spdx2.2/example6-bin.spdx) then includes Relationships describing how some portions of the Go distribution relate to the build results -- e.g., referencing the compiler used to build it, and the standard libraries that are incorporated into / statically linked with the binary. ## Comments From fda51aac7ae4e1cefa812f27534f7420706518c9 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Tue, 30 Apr 2024 18:32:28 +0100 Subject: [PATCH 02/20] Update README.md with more link to examples Using information from Tech call 2024-04-30 --- README.md | 49 +++++++++++++++++++++++++++++++++++++------------ 1 file changed, 37 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index c94bc2f..bcef76d 100644 --- a/README.md +++ b/README.md @@ -1,22 +1,47 @@ # SPDX Usage Examples -This repository includes demonstrations of [SPDX](https://spdx.dev) for various scenarios and use cases. - -The repository is organized by profiles which represents a set of scenarios and use cases for a particular domain (e.g. security, license compliance). -Each directory contains a README.md file describing the profile and the examples contained within that directory. - -The presentations directory contains examples included in various SPDX presentations. - -Please note that this repository does not contain all of the supported fields nor all of the supported serialization formats in the latest version of the spec. Please see the [SPDX Specification Examples](https://github.com/spdx/spdx-spec/tree/development/v2.3.1/examples) for the latest and examples that contain all of the supported fields and formats. +This repository includes demonstrations of [SPDX](https://spdx.dev) for various +scenarios and use cases. + +The repository is organized by profiles which represents a set of scenarios and +use cases for a particular domain (e.g. security, license compliance). +Each directory contains a README.md file describing the profile and the +examples contained within that directory. + +The presentations directory contains examples included in various SPDX +presentations. + +Please note that this repository does not contain all of the supported fields +nor all of the supported serialization formats in the latest version of the +spec. + +Please see the `examples/` directory in +[spdx-spec](https://github.com/spdx/spdx-spec/) repo for the examples that +contain all of the supported fields and formats for a specific spec version. +This is organized using repo branch. For example, SPDX 3.0 examples will be +in [v3.0](https://github.com/spdx/spdx-spec/tree/development/v3.0/examples) +branch and SPDX 2.3 examples will be in +[v2.3](https://github.com/spdx/spdx-spec/tree/development/v2.3/examples) +branch. + +Moreover, in a page for each field in +[SPDX Specification](https://spdx.github.io/spdx-spec/) there can also +be a code snippet demonstrating possible ways to use that particular field. ## Licenses Copyright Contributors to the spdx-examples project. -Unless otherwise specified, source code in this repository is licensed under the GNU General Public License, Version 3 or later (GPL-3.0-or-later). A copy is included in the COPYING file. +Unless otherwise specified, source code in this repository is licensed under +the GNU General Public License, Version 3 or later (GPL-3.0-or-later). +A copy is included in the COPYING file. -Other licenses may be specified as well for certain files for purposes of illustration or where third-party components are used. +Other licenses may be specified as well for certain files for purposes of +illustration or where third-party components are used. -Documentation in this repository is licensed under the Creative Commons Attribution 4.0 International license (CC-BY-4.0), available at https://creativecommons.org/licenses/by/4.0/. +Documentation in this repository is licensed under the Creative Commons +Attribution 4.0 International license (CC-BY-4.0), available at +https://creativecommons.org/licenses/by/4.0/. -SPDX documents in this repository are provided under CC0 1.0 Universal (CC0-1.0), available at https://creativecommons.org/publicdomain/zero/1.0/. +SPDX documents in this repository are provided under CC0 1.0 Universal +(CC0-1.0), available at https://creativecommons.org/publicdomain/zero/1.0/. From abeb710289aeef214cb916ae4ccf4b1fdcce79b7 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Tue, 30 Apr 2024 18:52:20 +0100 Subject: [PATCH 03/20] Update README.md Signed-off-by: Arthit Suriyawongkul --- README.md | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index bcef76d..e8a470c 100644 --- a/README.md +++ b/README.md @@ -15,18 +15,17 @@ Please note that this repository does not contain all of the supported fields nor all of the supported serialization formats in the latest version of the spec. -Please see the `examples/` directory in -[spdx-spec](https://github.com/spdx/spdx-spec/) repo for the examples that -contain all of the supported fields and formats for a specific spec version. -This is organized using repo branch. For example, SPDX 3.0 examples will be -in [v3.0](https://github.com/spdx/spdx-spec/tree/development/v3.0/examples) -branch and SPDX 2.3 examples will be in -[v2.3](https://github.com/spdx/spdx-spec/tree/development/v2.3/examples) -branch. - -Moreover, in a page for each field in -[SPDX Specification](https://spdx.github.io/spdx-spec/) there can also -be a code snippet demonstrating possible ways to use that particular field. +- Please see the `examples/` directory in + [spdx-spec](https://github.com/spdx/spdx-spec/) repo for the examples that + contain all of the supported fields and formats for a specific spec version. + This is organized using repo branch. For example, SPDX 3.0 examples will be + in [v3.0](https://github.com/spdx/spdx-spec/tree/development/v3.0/examples) + branch and SPDX 2.3 examples will be in + [v2.3](https://github.com/spdx/spdx-spec/tree/development/v2.3/examples) + branch. +- Moreover, in a page for each field in + [SPDX Specification](https://spdx.github.io/spdx-spec/), there can also + be a code snippet demonstrating how to use that particular field. ## Licenses From 444539bda56649db430424a982af4c628aafb753 Mon Sep 17 00:00:00 2001 From: mlemairemtp Date: Fri, 9 Aug 2024 11:45:54 +0200 Subject: [PATCH 04/20] Update README.md Update the path to the spdx file Signed-off-by: mlemairemtp --- software/example1/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/software/example1/README.md b/software/example1/README.md index 921d44a..284f008 100644 --- a/software/example1/README.md +++ b/software/example1/README.md @@ -14,7 +14,7 @@ content One [C source file](content/src/hello.c) with a simple "hello world" program, compiled into a [single binary](content/build/hello) with no dependencies via a [Makefile](content/src/Makefile). (Assumed dependencies such as the operating system kernel, C standard library, etc. are not addressed here.) -One [SPDX document](spdx/example1.spdx) showing the Makefile, source file and binary, together as a single package. +One [SPDX document](spdx2.2/example1.spdx) showing the Makefile, source file and binary, together as a single package. This assumes of course that all three files are in fact being distributed together as a single package. From 3a6aad93fd3a5a969a064e7f6d3dd0da6ed1313b Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Wed, 14 Aug 2024 23:17:07 +0100 Subject: [PATCH 05/20] Add spdx2.3/ dir mention to software/README Signed-off-by: Arthit Suriyawongkul Signed-off-by: Arthit Suriyawongkul --- software/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/software/README.md b/software/README.md index bfd2ad9..2c699e2 100644 --- a/software/README.md +++ b/software/README.md @@ -12,6 +12,8 @@ Directories of the form `example#` are structured as follows: - `content/src/`: contains the example's source code - `spdx2.2/`: contains one or more SPDX 2.2 documents (in tag-value or JSON format) for the sources and the build artifacts +- `spdx2.3/`: contains one or more SPDX 2.3 documents (in tag-value or JSON + format) for the sources and the build artifacts - `spdx3.0/`: contains one or more SPDX 3.0 documents for the sources and the build artifacts - `README.md`: more details about the particular example From d8809cab2b3443ae46dbb119f762028509a65a29 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Tue, 20 Aug 2024 23:44:20 +0800 Subject: [PATCH 06/20] Add info about examples in Playground repo 7404e21 Add info from https://github.com/spdx/meetings/blob/main/asia/2024/2024-08-13.md Signed-off-by: Arthit Suriyawongkul --- README.md | 48 ++++++++++++++++++++++++++---------------------- 1 file changed, 26 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 4c4ddba..af58775 100644 --- a/README.md +++ b/README.md @@ -5,30 +5,34 @@ scenarios and use cases. The repository is organized by profiles which represents a set of scenarios and use cases for a particular domain (e.g. security, license compliance). -Each directory contains a README.md file describing the profile and the -examples contained within that directory. - -The [`presentations`](./presentations/) directory contains examples included in -various SPDX presentations. - -Please note that this repository does not contain all of the supported fields -nor all of the supported serialization formats in the latest version of the -specification. -Additional version-specific examples can be found in the `examples` directory -of each specification version, for example: +- [AI](./ai/) +- [Dataset](./dataset/) +- [Software](./software/) -- [v3.0.1](https://github.com/spdx/spdx-spec/tree/development/v3.0.1/examples) -- [v2.3.1](https://github.com/spdx/spdx-spec/tree/development/v2.3.1/examples) - -Moreover, in a page for each field in -[SPDX Specification](https://spdx.github.io/spdx-spec/), there can also -be a code snippet demonstrating how to use that particular field. - -More guidance on using SPDX, including how to use SPDX License List short -identifiers in source files and leverage SPDX for compliance with standards and -regulations, is available in the [`spdx/using`](https://github.com/spdx/using/) -repository. +Each directory contains a README.md file describing the profile and the +examples contained within that directory. +Please note that they do not contain all supported fields or serialization +formats specified in the latest version of the specification. + +## More examples + +- The [`presentations`](./presentations/) directory in this repository + contains examples included in various SPDX presentations. +- Moreover, in a page for each field in + [SPDX Specification](https://spdx.github.io/spdx-spec/), there can also + be a code snippet demonstrating how to use that particular field. +- Additional version-specific examples can be found in the `examples` directory + of each specification version in [`spdx-spec`](https://github.com/spdx/spdx-spec/) repository. + For example: + - [`v3.0.1`](https://github.com/spdx/spdx-spec/tree/development/v3.0.1/examples) + - [`v2.3.1`](https://github.com/spdx/spdx-spec/tree/development/v2.3.1/examples) +- More guidance on using SPDX, including how to use SPDX License List short + identifiers in source files and leverage SPDX for compliance with standards + and regulations, is available in the [`spdx/using`](https://github.com/spdx/using/) + repository. +- The Playground repository at [`spdx-3-serialization-prototype-playground`](https://github.com/spdx/spdx-3-serialization-prototype-playground) + contains some examples that may not pass validation. ## Licenses From 64d935d9ee6bd160c9b4c97a62c77f4e6712fa83 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Tue, 20 Aug 2024 23:48:34 +0800 Subject: [PATCH 07/20] Add JSON-LD serialization examples Signed-off-by: Arthit Suriyawongkul --- README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/README.md b/README.md index af58775..907d301 100644 --- a/README.md +++ b/README.md @@ -27,6 +27,9 @@ formats specified in the latest version of the specification. For example: - [`v3.0.1`](https://github.com/spdx/spdx-spec/tree/development/v3.0.1/examples) - [`v2.3.1`](https://github.com/spdx/spdx-spec/tree/development/v2.3.1/examples) +- JSON-LD serialization examples can be found in + [`spdx/spdx-3-model`](https://github.com/spdx/spdx-3-model/blob/main/serialization/jsonld/examples.md) + repository. - More guidance on using SPDX, including how to use SPDX License List short identifiers in source files and leverage SPDX for compliance with standards and regulations, is available in the [`spdx/using`](https://github.com/spdx/using/) From 48a768ed195cf26769a658b62b818b3376e358ac Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Wed, 11 Sep 2024 13:25:20 -0700 Subject: [PATCH 08/20] Add SPDX 3 format example for software/example1 Signed-off-by: Gary O'Neall --- software/example1/spdx3.0/example1.json | 238 ++++++++++++++++++++++++ 1 file changed, 238 insertions(+) create mode 100644 software/example1/spdx3.0/example1.json diff --git a/software/example1/spdx3.0/example1.json b/software/example1/spdx3.0/example1.json new file mode 100644 index 0000000..9098061 --- /dev/null +++ b/software/example1/spdx3.0/example1.json @@ -0,0 +1,238 @@ +{ + "@context" : "https://spdx.org/rdf/3.0.1/spdx-context.jsonld", + "@graph" : [ { + "@id" : "_:creationInfo_0", + "type" : "CreationInfo", + "specVersion" : "3.0.1", + "createdBy" : [ "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd0" ], + "createdUsing" : [ "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/additionalToolSPDXRef-gnrtd2", "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/additionalToolSPDXRef-gnrtd1" ], + "created" : "2021-08-26T01:46:00Z" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd3", + "type" : "Relationship", + "relationshipType" : "describes", + "completeness" : "noAssertion", + "to" : [ "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd4" ], + "from" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/document0", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd5", + "type" : "Relationship", + "relationshipType" : "contains", + "completeness" : "noAssertion", + "to" : [ "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd6" ], + "from" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd4", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd7", + "type" : "Relationship", + "relationshipType" : "hasConcludedLicense", + "to" : [ "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd8" ], + "from" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd6", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd9", + "type" : "Relationship", + "relationshipType" : "hasDeclaredLicense", + "to" : [ "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd8" ], + "from" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd6", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd10", + "type" : "Relationship", + "relationshipType" : "contains", + "completeness" : "noAssertion", + "to" : [ "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd11" ], + "from" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd4", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd12", + "type" : "Relationship", + "relationshipType" : "generates", + "to" : [ "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd11" ], + "completeness" : "noAssertion", + "from" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd13", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd15", + "type" : "Relationship", + "relationshipType" : "hasConcludedLicense", + "to" : [ "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd8" ], + "from" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd13", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd16", + "type" : "Relationship", + "relationshipType" : "hasDeclaredLicense", + "to" : [ "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd8" ], + "from" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd13", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd17", + "type" : "Relationship", + "relationshipType" : "generates", + "to" : [ "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd11" ], + "completeness" : "noAssertion", + "from" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd6", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd18", + "type" : "Relationship", + "relationshipType" : "hasConcludedLicense", + "to" : [ "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd8" ], + "from" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd11", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd19", + "type" : "Relationship", + "relationshipType" : "hasDeclaredLicense", + "to" : [ "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd20" ], + "from" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd11", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd21", + "type" : "Relationship", + "relationshipType" : "contains", + "completeness" : "noAssertion", + "to" : [ "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd13" ], + "from" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd4", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd22", + "type" : "Relationship", + "relationshipType" : "hasConcludedLicense", + "to" : [ "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd8" ], + "from" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd4", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd23", + "type" : "Relationship", + "relationshipType" : "hasDeclaredLicense", + "to" : [ "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd8" ], + "from" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd4", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/document0", + "type" : "SpdxDocument", + "dataLicense" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd24", + "rootElement" : [ "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd4" ], + "name" : "hello", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/additionalToolSPDXRef-gnrtd1", + "type" : "Tool", + "name" : "github.com/spdx/tools-golang/builder", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/additionalToolSPDXRef-gnrtd2", + "type" : "Tool", + "name" : "github.com/spdx/tools-golang/idsearcher", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd8", + "type" : "simplelicensing_LicenseExpression", + "simplelicensing_licenseExpression" : "GPL-3.0-or-later", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd20", + "type" : "simplelicensing_LicenseExpression", + "simplelicensing_licenseExpression" : "NOASSERTION", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd24", + "type" : "simplelicensing_LicenseExpression", + "simplelicensing_licenseExpression" : "CC0-1.0", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd14", + "type" : "LifecycleScopedRelationship", + "relationshipType" : "usesTool", + "scope" : "build", + "to" : [ "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd13" ], + "completeness" : "noAssertion", + "from" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd4", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd0", + "type" : "Person", + "externalIdentifier" : [ { + "type" : "ExternalIdentifier", + "identifier" : "steve@swinslow.net", + "externalIdentifierType" : "email" + } ], + "name" : "Steve Winslow", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd6", + "type" : "software_File", + "software_copyrightText" : "Copyright Contributors to the spdx-examples project.", + "verifiedUsing" : [ { + "type" : "Hash", + "algorithm" : "md5", + "hashValue" : "935054fe899ca782e11003bbae5e166c" + }, { + "type" : "Hash", + "algorithm" : "sha1", + "hashValue" : "20862a6d08391d07d09344029533ec644fac6b21" + }, { + "type" : "Hash", + "algorithm" : "sha256", + "hashValue" : "b4e5ca56d1f9110ca94ed0bf4e6d9ac11c2186eb7cd95159c6fdb50e8db5a823" + } ], + "name" : "./src/hello.c", + "software_primaryPurpose" : "source", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd11", + "type" : "software_File", + "software_copyrightText" : "NOASSERTION", + "verifiedUsing" : [ { + "type" : "Hash", + "algorithm" : "sha1", + "hashValue" : "20291a81ef065ff891b537b64d4fdccaf6f5ac02" + }, { + "type" : "Hash", + "algorithm" : "sha256", + "hashValue" : "83a33ff09648bb5fc5272baca88cf2b59fd81ac4cc6817b86998136af368708e" + }, { + "type" : "Hash", + "algorithm" : "md5", + "hashValue" : "08a12c966d776864cc1eb41fd03c3c3d" + } ], + "name" : "./build/hello", + "contentType" : "application/octet-stream", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd13", + "type" : "software_File", + "software_copyrightText" : "NOASSERTION", + "verifiedUsing" : [ { + "type" : "Hash", + "algorithm" : "sha1", + "hashValue" : "69a2e85696fff1865c3f0686d6c3824b59915c80" + }, { + "type" : "Hash", + "algorithm" : "sha256", + "hashValue" : "5da19033ba058e322e21c90e6d6d859c90b1b544e7840859c12cae5da005e79c" + }, { + "type" : "Hash", + "algorithm" : "md5", + "hashValue" : "559424589a4f3f75fd542810473d8bc1" + } ], + "name" : "./src/Makefile", + "software_primaryPurpose" : "source", + "creationInfo" : "_:creationInfo_0" + }, { + "spdxId" : "https://swinslow.net/spdx-examples/example1/hello-v3-specv3/SPDXRef-gnrtd4", + "type" : "software_Package", + "software_copyrightText" : "NOASSERTION", + "software_downloadLocation" : "git+https://github.com/swinslow/spdx-examples.git#example1/content", + "verifiedUsing" : [ { + "type" : "PackageVerificationCode", + "algorithm" : "sha1", + "hashValue" : "9d20237bb72087e87069f96afb41c6ca2fa2a342" + } ], + "name" : "hello", + "creationInfo" : "_:creationInfo_0" + } ] +} \ No newline at end of file From 78718e7756b87ad3ef15be393f3ac68ced12003d Mon Sep 17 00:00:00 2001 From: Nisha Kumar Date: Mon, 10 Jun 2024 06:40:24 -0700 Subject: [PATCH 09/20] Add SPDX 3.0 for example7 Signed-off-by: Nisha Kumar --- .../spdx3.0/example7-golang.spdx.jsonld | 103 ++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 software/example7/spdx3.0/example7-golang.spdx.jsonld diff --git a/software/example7/spdx3.0/example7-golang.spdx.jsonld b/software/example7/spdx3.0/example7-golang.spdx.jsonld new file mode 100644 index 0000000..ca3a48c --- /dev/null +++ b/software/example7/spdx3.0/example7-golang.spdx.jsonld @@ -0,0 +1,103 @@ +{ + "@context": [ + "https://spdx.org/rdf/3.0.0/spdx-context.jsonld" + ], + "@graph": [ + { + "spdxId": "mailto:nishak@vmware.com", + "type": "Person", + "creationInfo": "_:creationInfo", + "comment": "Person or Tool that created this document", + "name": "Nisha K", + "externalIdentifier": [ + { + "type": "ExternalIdentifier", + "externalIdentifierType": "email", + "identifier": "nishak@vmware.com" + } + ] + }, + { + "spdxId": "https://golang.org", + "type": "Organization", + "creationInfo": "_:creationInfo", + "comment": "The organization that originated the software package", + "name": "golang.org" + }, + { + "@id": "_:creationInfo", + "type": "CreationInfo", + "created": "2020-11-24T01:12:27Z", + "createdBy": [ + "mailto:nishak@vmware.com" + ], + "comment": "All objects within the graph will have this same CreationInfo" + }, + { + "spdxId": "https://golang.org/dl/go1.16.4.linux-amd64.tar.gz", + "type": "Software_Package", + "name": "go1.16.4.linux-amd64", + "creationInfo": "_:creationInfo", + "comment": "This is the downloaded tarball to be installed on disk", + "software_packageVersion": "1.16.4", + "software_primaryPurpose": "install", + "software_downloadLocation": "https://golang.org/dl/go1.16.4.linux-amd64.tar.gz", + "originatedBy": "https://golang.org", + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "sha256", + "hashValue": "7154e88f5a8047aad4b80ebace58a059e36e7e2e4eb3b383127a28c711b4ff59" + } + ] + }, + { + "spdxId": "https://golang.org/dl/go-compiler", + "type": "Software_File", + "name": "go", + "creationInfo": "_:creationInfo", + "comment": "The installation comes with an executable", + "originatedBy": "https://golang.org", + "software_primaryPurpose": "executable" + }, + { + "type": "Relationship", + "spdxId": "https://spdx.org/golang-dist-contains", + "creationInfo": "_:creationInfo", + "relationshipType": "contains", + "from": "https://golang.org/dl/go1.16.4.linux-amd64.tar.gz", + "to": [ + "https://golang.org/dl/go-compiler" + ] + }, + { + "type": "software_Sbom", + "spdxId": "https://spdx.org/go1.16.4-sbom", + "creationInfo": "_:creationInfo", + "comment": "The SBOM communicates that this document is an SBOM", + "rootElement": [ + "https://golang.org/dl/go1.16.4.linux-amd64.tar.gz" + ], + "element": [ + "https://golang.org/dl/go-compiler", + "https://spdx.org/golang-dist-contains" + ] + }, + { + "spdxId": "https://github.com/spdx-examples/example7-golang.spdx.jsonld", + "type": "SpdxDocument", + "creationInfo": "_:creationInfo", + "comment": "This document's primary communication is the SBOM", + "name": "example7-golang.spdx.jsonld", + "profileConformance": [ + "core", + "software" + ], + "dataLicense": "CC0-1.0", + "createdUsing": [ + "manual" + ], + "rootElement": "https://golang.org/dl/go1.16.4-sbom" + } + ] +} From 53c620b1f8829700487f9f74b2116b3876eab3fe Mon Sep 17 00:00:00 2001 From: Nisha Kumar Date: Tue, 11 Jun 2024 11:22:07 -0700 Subject: [PATCH 10/20] Basic updates: fix glaring mistakes - Use URN instead of URI for spdxId - Fix capitalization on types - Move `createdUsing` to `CreationInfo` object Signed-off-by: Nisha Kumar --- .../spdx3.0/example7-golang.spdx.jsonld | 46 +++++++++---------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/software/example7/spdx3.0/example7-golang.spdx.jsonld b/software/example7/spdx3.0/example7-golang.spdx.jsonld index ca3a48c..48520df 100644 --- a/software/example7/spdx3.0/example7-golang.spdx.jsonld +++ b/software/example7/spdx3.0/example7-golang.spdx.jsonld @@ -4,7 +4,7 @@ ], "@graph": [ { - "spdxId": "mailto:nishak@vmware.com", + "spdxId": "urn:uuid:cc81c9c0-c466-4e22-b3f6-945a65f5d07b", "type": "Person", "creationInfo": "_:creationInfo", "comment": "Person or Tool that created this document", @@ -18,7 +18,7 @@ ] }, { - "spdxId": "https://golang.org", + "spdxId": "urn:uuid:a5d2b614-1c0a-477d-b1fc-dc391f2c1c6d", "type": "Organization", "creationInfo": "_:creationInfo", "comment": "The organization that originated the software package", @@ -29,20 +29,23 @@ "type": "CreationInfo", "created": "2020-11-24T01:12:27Z", "createdBy": [ - "mailto:nishak@vmware.com" + "urn:uuid:cc81c9c0-c466-4e22-b3f6-945a65f5d07b" + ], + "createdUsing": [ + "manual" ], "comment": "All objects within the graph will have this same CreationInfo" }, { - "spdxId": "https://golang.org/dl/go1.16.4.linux-amd64.tar.gz", - "type": "Software_Package", - "name": "go1.16.4.linux-amd64", + "spdxId": "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b", + "type": "software_Package", + "name": "go1.16.4.linux-amd64.tar.gz", "creationInfo": "_:creationInfo", "comment": "This is the downloaded tarball to be installed on disk", "software_packageVersion": "1.16.4", "software_primaryPurpose": "install", "software_downloadLocation": "https://golang.org/dl/go1.16.4.linux-amd64.tar.gz", - "originatedBy": "https://golang.org", + "originatedBy": "urn:uuid:a5d2b614-1c0a-477d-b1fc-dc391f2c1c6d", "verifiedUsing": [ { "type": "Hash", @@ -52,52 +55,49 @@ ] }, { - "spdxId": "https://golang.org/dl/go-compiler", - "type": "Software_File", + "spdxId": "urn:uuid:3b2939bf-fcce-4617-a06f-115168870b95", + "type": "software_File", "name": "go", "creationInfo": "_:creationInfo", "comment": "The installation comes with an executable", - "originatedBy": "https://golang.org", + "originatedBy": "urn:uuid:a5d2b614-1c0a-477d-b1fc-dc391f2c1c6d", "software_primaryPurpose": "executable" }, { "type": "Relationship", - "spdxId": "https://spdx.org/golang-dist-contains", + "spdxId": "urn:uuid:92c6754b-d6e9-48b7-8b86-54fdc89995a6", "creationInfo": "_:creationInfo", "relationshipType": "contains", - "from": "https://golang.org/dl/go1.16.4.linux-amd64.tar.gz", + "from": "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b", "to": [ - "https://golang.org/dl/go-compiler" + "urn:uuid:3b2939bf-fcce-4617-a06f-115168870b95" ] }, { "type": "software_Sbom", - "spdxId": "https://spdx.org/go1.16.4-sbom", + "spdxId": "urn:uuid:d523d308-8348-4051-85ea-a67a14978fad", "creationInfo": "_:creationInfo", "comment": "The SBOM communicates that this document is an SBOM", "rootElement": [ - "https://golang.org/dl/go1.16.4.linux-amd64.tar.gz" + "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b" ], "element": [ - "https://golang.org/dl/go-compiler", - "https://spdx.org/golang-dist-contains" + "urn:uuid:3b2939bf-fcce-4617-a06f-115168870b95", + "urn:uuid:92c6754b-d6e9-48b7-8b86-54fdc89995a6" ] }, { - "spdxId": "https://github.com/spdx-examples/example7-golang.spdx.jsonld", + "spdxId": "urn:uuid:93867a66-8945-45c2-ac11-4277d3af38fa", "type": "SpdxDocument", "creationInfo": "_:creationInfo", "comment": "This document's primary communication is the SBOM", - "name": "example7-golang.spdx.jsonld", + "name": "example7-golang.spdx", "profileConformance": [ "core", "software" ], "dataLicense": "CC0-1.0", - "createdUsing": [ - "manual" - ], - "rootElement": "https://golang.org/dl/go1.16.4-sbom" + "rootElement": "urn:uuid:d523d308-8348-4051-85ea-a67a14978fad" } ] } From cb9caa64bf5e086f8a27d280e6309d7c1f5e5b6a Mon Sep 17 00:00:00 2001 From: Nisha Kumar Date: Tue, 11 Jun 2024 15:21:24 -0700 Subject: [PATCH 11/20] Add SPDX 3.0 JSONLD document for a go module Signed-off-by: Nisha Kumar --- .../spdx3.0/example7-go-module.spdx.jsonld | 72 +++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 software/example7/spdx3.0/example7-go-module.spdx.jsonld diff --git a/software/example7/spdx3.0/example7-go-module.spdx.jsonld b/software/example7/spdx3.0/example7-go-module.spdx.jsonld new file mode 100644 index 0000000..66b823f --- /dev/null +++ b/software/example7/spdx3.0/example7-go-module.spdx.jsonld @@ -0,0 +1,72 @@ +{ + "@context": [ + "https://spdx.org/rdf/3.0.0/spdx-context.jsonld" + ], + "@graph": [ + { + "spdxId": "urn:uuid:cf7dddac-8ce5-4a16-8860-ee255be7b4c8", + "type": "Person", + "creationInfo": "_:creationInfo", + "comment": "Person or Tool that created this document. Assuming that this document was created by the same person/tool but at a different time", + "name": "Nisha K", + "externalIdentifier": [ + { + "type": "ExternalIdentifier", + "externalIdentifierType": "email", + "identifier": "nishak@vmware.com" + } + ] + }, + { + "spdxId": "urn:uuid:d8bfb4bd-f3b9-4d5e-b83d-dd48038ecfde", + "type": "Organization", + "creationInfo": "_:creationInfo", + "comment": "The organization that originated the software package", + "name": "golang.org" + }, + { + "@id": "_:creationInfo", + "type": "CreationInfo", + "created": "2020-11-25T01:12:27Z", + "createdBy": [ + "urn:uuid:cf7dddac-8ce5-4a16-8860-ee255be7b4c8" + ], + "createdUsing": [ + "manual" + ], + "comment": "All objects within the graph will have this same CreationInfo" + }, + { + "spdxId": "urn:uuid:e1877974-0aaa-48e6-931f-db4898c543f8", + "type": "software_Package", + "name": "example.com/hello", + "creationInfo": "_:creationInfo", + "comment": "This is version controlled source code, generated by the ssame person who made this document", + "software_primaryPurpose": "source", + "software_downloadLocation": "git://github.com/spdx/spdx-examples.git#software/example7/src/hello", + "originatedBy": "urn:uuid:cf7dddac-8ce5-4a16-8860-ee255be7b4c8" + }, + { + "type": "software_Sbom", + "spdxId": "urn:uuid:711c6f39-6c80-494e-b848-1c01e8962345", + "creationInfo": "_:creationInfo", + "comment": "The SBOM communicates that this document is an SBOM. The SBOM only has one element", + "rootElement": [ + "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b" + ] + }, + { + "spdxId": "urn:uuid:b61745ef-59c7-4804-878d-fccbe455bd80", + "type": "SpdxDocument", + "creationInfo": "_:creationInfo", + "comment": "This document's primary communication is the SBOM", + "name": "example7-go-module.spdx", + "profileConformance": [ + "core", + "software" + ], + "dataLicense": "CC0-1.0", + "rootElement": "urn:uuid:711c6f39-6c80-494e-b848-1c01e8962345" + } + ] +} From 2219fd6068b35fa1e22d50cb0ff8e408dbd5b0ff Mon Sep 17 00:00:00 2001 From: Nisha Kumar Date: Wed, 12 Jun 2024 09:52:05 -0700 Subject: [PATCH 12/20] example7: spdx3.0: Modifications to schema - Remove "createdUsing" as these files are manually created - "rootElement" is a list - "element" in the SBOM element is a list of all elements in the SBOM Signed-off-by: Nisha Kumar --- .../example7/spdx3.0/example7-go-module.spdx.jsonld | 12 ++++++++---- .../example7/spdx3.0/example7-golang.spdx.jsonld | 10 ++++++---- 2 files changed, 14 insertions(+), 8 deletions(-) diff --git a/software/example7/spdx3.0/example7-go-module.spdx.jsonld b/software/example7/spdx3.0/example7-go-module.spdx.jsonld index 66b823f..70788f5 100644 --- a/software/example7/spdx3.0/example7-go-module.spdx.jsonld +++ b/software/example7/spdx3.0/example7-go-module.spdx.jsonld @@ -31,9 +31,6 @@ "createdBy": [ "urn:uuid:cf7dddac-8ce5-4a16-8860-ee255be7b4c8" ], - "createdUsing": [ - "manual" - ], "comment": "All objects within the graph will have this same CreationInfo" }, { @@ -54,6 +51,11 @@ "rootElement": [ "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b" ] + "element": [ + "urn:uuid:cf7dddac-8ce5-4a16-8860-ee255be7b4c8", + "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b", + "urn:uuid:d8bfb4bd-f3b9-4d5e-b83d-dd48038ecfde", + ] }, { "spdxId": "urn:uuid:b61745ef-59c7-4804-878d-fccbe455bd80", @@ -66,7 +68,9 @@ "software" ], "dataLicense": "CC0-1.0", - "rootElement": "urn:uuid:711c6f39-6c80-494e-b848-1c01e8962345" + "rootElement": [ + "urn:uuid:711c6f39-6c80-494e-b848-1c01e8962345" + ] } ] } diff --git a/software/example7/spdx3.0/example7-golang.spdx.jsonld b/software/example7/spdx3.0/example7-golang.spdx.jsonld index 48520df..ac15968 100644 --- a/software/example7/spdx3.0/example7-golang.spdx.jsonld +++ b/software/example7/spdx3.0/example7-golang.spdx.jsonld @@ -31,9 +31,6 @@ "createdBy": [ "urn:uuid:cc81c9c0-c466-4e22-b3f6-945a65f5d07b" ], - "createdUsing": [ - "manual" - ], "comment": "All objects within the graph will have this same CreationInfo" }, { @@ -82,6 +79,9 @@ "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b" ], "element": [ + "urn:uuid:a5d2b614-1c0a-477d-b1fc-dc391f2c1c6d", + "urn:uuid:cc81c9c0-c466-4e22-b3f6-945a65f5d07b", + "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b", "urn:uuid:3b2939bf-fcce-4617-a06f-115168870b95", "urn:uuid:92c6754b-d6e9-48b7-8b86-54fdc89995a6" ] @@ -97,7 +97,9 @@ "software" ], "dataLicense": "CC0-1.0", - "rootElement": "urn:uuid:d523d308-8348-4051-85ea-a67a14978fad" + "rootElement": [ + "urn:uuid:d523d308-8348-4051-85ea-a67a14978fad" + ] } ] } From 08541581cee54889770cb45c8cd14a098b8a48b9 Mon Sep 17 00:00:00 2001 From: Nisha Kumar Date: Mon, 5 Aug 2024 11:42:27 -0700 Subject: [PATCH 13/20] Fix JSON parsing errors Signed-off-by: Nisha Kumar --- software/example7/spdx3.0/example7-go-module.spdx.jsonld | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/software/example7/spdx3.0/example7-go-module.spdx.jsonld b/software/example7/spdx3.0/example7-go-module.spdx.jsonld index 70788f5..f1c81bb 100644 --- a/software/example7/spdx3.0/example7-go-module.spdx.jsonld +++ b/software/example7/spdx3.0/example7-go-module.spdx.jsonld @@ -50,11 +50,11 @@ "comment": "The SBOM communicates that this document is an SBOM. The SBOM only has one element", "rootElement": [ "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b" - ] + ], "element": [ "urn:uuid:cf7dddac-8ce5-4a16-8860-ee255be7b4c8", "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b", - "urn:uuid:d8bfb4bd-f3b9-4d5e-b83d-dd48038ecfde", + "urn:uuid:d8bfb4bd-f3b9-4d5e-b83d-dd48038ecfde" ] }, { From d07093e9fc49d665bb4cf6b79c477c35b19a5a7e Mon Sep 17 00:00:00 2001 From: Nisha Kumar Date: Mon, 5 Aug 2024 11:52:50 -0700 Subject: [PATCH 14/20] Fix elements - Remove Organization element - Fix root element and element list uuids Signed-off-by: Nisha Kumar --- .../spdx3.0/example7-go-module.spdx.jsonld | 14 +++----------- 1 file changed, 3 insertions(+), 11 deletions(-) diff --git a/software/example7/spdx3.0/example7-go-module.spdx.jsonld b/software/example7/spdx3.0/example7-go-module.spdx.jsonld index f1c81bb..2cd842b 100644 --- a/software/example7/spdx3.0/example7-go-module.spdx.jsonld +++ b/software/example7/spdx3.0/example7-go-module.spdx.jsonld @@ -17,13 +17,6 @@ } ] }, - { - "spdxId": "urn:uuid:d8bfb4bd-f3b9-4d5e-b83d-dd48038ecfde", - "type": "Organization", - "creationInfo": "_:creationInfo", - "comment": "The organization that originated the software package", - "name": "golang.org" - }, { "@id": "_:creationInfo", "type": "CreationInfo", @@ -47,14 +40,13 @@ "type": "software_Sbom", "spdxId": "urn:uuid:711c6f39-6c80-494e-b848-1c01e8962345", "creationInfo": "_:creationInfo", - "comment": "The SBOM communicates that this document is an SBOM. The SBOM only has one element", + "comment": "The SBOM communicates that this document is an SBOM. The SBOM only has one software package and its creator", "rootElement": [ - "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b" + "urn:uuid:e1877974-0aaa-48e6-931f-db4898c543f8" ], "element": [ "urn:uuid:cf7dddac-8ce5-4a16-8860-ee255be7b4c8", - "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b", - "urn:uuid:d8bfb4bd-f3b9-4d5e-b83d-dd48038ecfde" + "urn:uuid:e1877974-0aaa-48e6-931f-db4898c543f8" ] }, { From 13bf52016df46f6b178c865c4618e6023f92908c Mon Sep 17 00:00:00 2001 From: Nisha Kumar Date: Mon, 5 Aug 2024 17:30:02 -0700 Subject: [PATCH 15/20] Add example 7 third party modules Signed-off-by: Nisha Kumar --- .../example7-third-party-modules.spdx.jsonld | 95 +++++++++++++++++++ 1 file changed, 95 insertions(+) create mode 100644 software/example7/spdx3.0/example7-third-party-modules.spdx.jsonld diff --git a/software/example7/spdx3.0/example7-third-party-modules.spdx.jsonld b/software/example7/spdx3.0/example7-third-party-modules.spdx.jsonld new file mode 100644 index 0000000..86e381b --- /dev/null +++ b/software/example7/spdx3.0/example7-third-party-modules.spdx.jsonld @@ -0,0 +1,95 @@ +{ + "@context": [ + "https://spdx.org/rdf/3.0.0/spdx-context.jsonld" + ], + "@graph": [ + { + "spdxId": "urn:uuid:75f4bf57-0976-446d-869a-67856a1fa5bb", + "type": "Person", + "creationInfo": "_:creationInfo", + "comment": "Person or Tool that created this document. Assuming that this document was created by the same person/tool but at a different time", + "name": "Nisha K", + "externalIdentifier": [ + { + "type": "ExternalIdentifier", + "externalIdentifierType": "email", + "identifier": "nishak@vmware.com" + } + ] + }, + { + "spdxId": "urn:uuid:4b3add7d-8d36-488d-b7cc-f3891af633d1", + "type": "Organization", + "creationInfo": "_:creationInfo", + "comment": "It is unclear who originated the packages in the SBOM. However, there are domain names", + "name": "golang.org" + }, + { + "spdxId": "urn:uuid:1c20ec6e-6e84-417a-8b7f-51bb69f62cb2", + "type": "Organization", + "creationInfo": "_:creationInfo", + "comment": "It is unclear who originated the packages in the SBOM. However, there are domain names", + "name": "rsc.io" + }, + { + "@id": "_:creationInfo", + "type": "CreationInfo", + "created": "2020-11-25T01:12:27Z", + "createdBy": [ + "urn:uuid:75f4bf57-0976-446d-869a-67856a1fa5bb" + ], + "comment": "All objects within the graph will have this same CreationInfo" + }, + { + "spdxId": "urn:uuid:4918b993-36f8-4e75-bf94-2f017575eae5", + "type": "software_Package", + "name": "golang.org/x/text", + "creationInfo": "_:creationInfo", + "comment": "Go module dependency. The author is not given", + "software_primaryPurpose": "library", + "software_downloadLocation": "git://golang.org/x/text@v0.0.0-20170915032832-14c0d48ead0c", + "originatedBy": "urn:uuid:4b3add7d-8d36-488d-b7cc-f3891af633d1" + }, + { + "spdxId": "urn:uuid:84e4231d-fc1d-4b4e-9609-05781f81fa73", + "type": "software_Package", + "name": "rsc.io/quote", + "creationInfo": "_:creationInfo", + "comment": "Go module dependency. The author is not given", + "software_primaryPurpose": "library", + "software_downloadLocation": "git://rsc.io/sampler@v1.3.0", + "originatedBy": "urn:uuid:1c20ec6e-6e84-417a-8b7f-51bb69f62cb2" + }, + { + "type": "software_Sbom", + "spdxId": "urn:uuid:30bebcfc-096f-4cbd-9fea-da1b8c5f8ea6", + "creationInfo": "_:creationInfo", + "comment": "The SBOM communicates that this document is an SBOM. The SBOM has more than one root element", + "rootElement": [ + "urn:uuid:4918b993-36f8-4e75-bf94-2f017575eae5", + "urn:uuid:84e4231d-fc1d-4b4e-9609-05781f81fa73" + ], + "element": [ + "urn:uuid:75f4bf57-0976-446d-869a-67856a1fa5bb", + "urn:uuid:0ae67aec-e3f7-4020-b0bc-068486068127", + "urn:uuid:4918b993-36f8-4e75-bf94-2f017575eae5", + "urn:uuid:84e4231d-fc1d-4b4e-9609-05781f81fa73" + ] + }, + { + "spdxId": "urn:uuid:28789527-d15c-4c77-93b3-d6f25df6c1ef", + "type": "SpdxDocument", + "creationInfo": "_:creationInfo", + "comment": "This document's primary communication is the SBOM", + "name": "example7-third-party-modules.spdx", + "profileConformance": [ + "core", + "software" + ], + "dataLicense": "CC0-1.0", + "rootElement": [ + "urn:uuid:30bebcfc-096f-4cbd-9fea-da1b8c5f8ea6" + ] + } + ] +} From 298156a603f84cdcc2939bdf789be7319cfc2c40 Mon Sep 17 00:00:00 2001 From: Nisha Kumar Date: Tue, 6 Aug 2024 20:07:09 -0700 Subject: [PATCH 16/20] Add binary JSONLD document Signed-off-by: Nisha Kumar --- .../example7/spdx3.0/example7-bin.spdx.jsonld | 160 ++++++++++++++++++ 1 file changed, 160 insertions(+) create mode 100644 software/example7/spdx3.0/example7-bin.spdx.jsonld diff --git a/software/example7/spdx3.0/example7-bin.spdx.jsonld b/software/example7/spdx3.0/example7-bin.spdx.jsonld new file mode 100644 index 0000000..aded29f --- /dev/null +++ b/software/example7/spdx3.0/example7-bin.spdx.jsonld @@ -0,0 +1,160 @@ +{ + "@context": [ + "https://spdx.org/rdf/3.0.0/spdx-context.jsonld" + ], + "@graph": [ + { + "spdxId": "urn:uuid:6731cd26-926c-486b-8127-340c0f11a228", + "type": "Person", + "creationInfo": "_:creationInfo", + "comment": "Person or Tool that created this document", + "name": "Nisha K", + "externalIdentifier": [ + { + "type": "ExternalIdentifier", + "externalIdentifierType": "email", + "identifier": "nishak@vmware.com" + } + ] + }, + { + "@id": "_:creationInfo", + "type": "CreationInfo", + "created": "2020-11-24T01:12:27Z", + "createdBy": [ + "urn:uuid:6731cd26-926c-486b-8127-340c0f11a228" + ], + "comment": "All objects within the graph will have this same CreationInfo" + }, + { + "spdxId": "urn:uuid:3773937f-6db8-49f9-920f-7d1a6b0cfcbb", + "type": "software_File", + "name": "hello", + "creationInfo": "_:creationInfo", + "comment": "This binary was created by building go source code", + "originatedBy": "urn:uuid:6731cd26-926c-486b-8127-340c0f11a228", + "software_primaryPurpose": "executable" + }, + { + "type": "ExternalMap", + "externalSpdxId": "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b", + "locationHint": "https://github.com/spdx/spdx-examples/software/example7/example7-golang.spdx.jsonld", + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "sha256", + "hashValue": "ffde414ff13e529e8ea834f92d0e6df9c56ebace6c359ef3fca9cb60ea6cbb63" + } + ] + }, + { + "type": "ExternalMap", + "externalSpdxId": "urn:uuid:e1877974-0aaa-48e6-931f-db4898c543f8", + "locationHint": "https://github.com/spdx/spdx-examples/software/example7/example7-go-module.spdx.jsonld", + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "sha256", + "hashValue": "28c680a0232828f5ea550a10e02e9548316d4f8c1c618ae52bdf1d8e6f5a3c3c" + } + ] + }, + { + "type": "ExternalMap", + "externalSpdxId": "urn:uuid:4918b993-36f8-4e75-bf94-2f017575eae5", + "locationHint": "https://github.com/spdx/spdx-examples/software/example7/example7-third-party-modules.spdx.jsonld", + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "sha256", + "hashValue": "9b34ebb21f3329351be6490733e17c0bd8b3cf4cc7321c0f3207c69844df133d" + } + ] + }, + { + "type": "ExternalMap", + "externalSpdxId": "urn:uuid:84e4231d-fc1d-4b4e-9609-05781f81fa73", + "locationHint": "https://github.com/spdx/spdx-examples/software/example7/example7-third-party-modules.spdx.jsonld", + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "sha256", + "hashValue": "9b34ebb21f3329351be6490733e17c0bd8b3cf4cc7321c0f3207c69844df133d" + } + ] + }, + { + "spdxId": "urn:uuid:128052d9-d307-43fc-a676-5d8791e12391", + "type": "build_Build", + "comment": "This element is used to express inputs and outputs of the go build" + }, + { + "type": "LifecycleScopedRelationship", + "scope": "build", + "spdxId": "urn:uuid:98dd3b3f-6b8f-49a1-88b6-628750516f1e", + "creationInfo": "_:creationInfo", + "relationshipType": "hasInputs", + "from": "urn:uuid:128052d9-d307-43fc-a676-5d8791e12391", + "to": [ + "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b", + "urn:uuid:e1877974-0aaa-48e6-931f-db4898c543f8" + ] + }, + { + "type": "LifecycleScopedRelationship", + "scope": "build", + "spdxId": "urn:uuid:a7b65a78-8ed2-4b20-a91b-40f94ecdb81c", + "creationInfo": "_:creationInfo", + "relationshipType": "hasOutputs", + "from": "urn:uuid:128052d9-d307-43fc-a676-5d8791e12391", + "to": [ + "urn:uuid:3773937f-6db8-49f9-920f-7d1a6b0cfcbb" + ] + }, + { + "type": "LifecycleScopedRelationship", + "scope": "build", + "spdxId": "urn:uuid:5524e7dd-5d2f-44fa-86b0-ccaa3cf6fa63", + "creationInfo": "_:creationInfo", + "relationshipType": "hasStaticLink", + "from": "urn:uuid:3773937f-6db8-49f9-920f-7d1a6b0cfcbb", + "to": [ + "urn:uuid:4918b993-36f8-4e75-bf94-2f017575eae5", + "urn:uuid:84e4231d-fc1d-4b4e-9609-05781f81fa73" + ] + }, + { + "type": "software_Sbom", + "spdxId": "urn:uuid:4c7ec5f3-875b-4f99-8c4c-f0a718da8c4f", + "creationInfo": "_:creationInfo", + "comment": "The SBOM communicates that this document is an SBOM", + "rootElement": [ + "urn:uuid:3773937f-6db8-49f9-920f-7d1a6b0cfcbb" + ], + "element": [ + "urn:uuid:6731cd26-926c-486b-8127-340c0f11a228", + "urn:uuid:3773937f-6db8-49f9-920f-7d1a6b0cfcbb", + "urn:uuid:128052d9-d307-43fc-a676-5d8791e12391", + "urn:uuid:98dd3b3f-6b8f-49a1-88b6-628750516f1e", + "urn:uuid:a7b65a78-8ed2-4b20-a91b-40f94ecdb81c", + "urn:uuid:5524e7dd-5d2f-44fa-86b0-ccaa3cf6fa63" + ] + }, + { + "spdxId": "urn:uuid:6a1ea0da-1801-495b-9d35-2735e79eee1b", + "type": "SpdxDocument", + "creationInfo": "_:creationInfo", + "comment": "This document's primary communication is the SBOM", + "name": "example7-bin.spdx", + "profileConformance": [ + "core", + "software", + "build" + ], + "dataLicense": "CC0-1.0", + "rootElement": [ + "urn:uuid:4c7ec5f3-875b-4f99-8c4c-f0a718da8c4f" + ] + } + ] +} From 30a8ae0b95c794b0bcad871081456889f4b22467 Mon Sep 17 00:00:00 2001 From: Nisha Kumar Date: Wed, 7 Aug 2024 08:45:46 -0700 Subject: [PATCH 17/20] Rename .jsonld to .json and the folder to spdx-3.0 Signed-off-by: Nisha Kumar --- .../example7-bin.spdx.jsonld => spdx-3.0/example7-bin.spdx.json} | 0 .../example7-go-module.spdx.json} | 0 .../example7-golang.spdx.json} | 0 .../example7-third-party-modules.spdx.json} | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename software/example7/{spdx3.0/example7-bin.spdx.jsonld => spdx-3.0/example7-bin.spdx.json} (100%) rename software/example7/{spdx3.0/example7-go-module.spdx.jsonld => spdx-3.0/example7-go-module.spdx.json} (100%) rename software/example7/{spdx3.0/example7-golang.spdx.jsonld => spdx-3.0/example7-golang.spdx.json} (100%) rename software/example7/{spdx3.0/example7-third-party-modules.spdx.jsonld => spdx-3.0/example7-third-party-modules.spdx.json} (100%) diff --git a/software/example7/spdx3.0/example7-bin.spdx.jsonld b/software/example7/spdx-3.0/example7-bin.spdx.json similarity index 100% rename from software/example7/spdx3.0/example7-bin.spdx.jsonld rename to software/example7/spdx-3.0/example7-bin.spdx.json diff --git a/software/example7/spdx3.0/example7-go-module.spdx.jsonld b/software/example7/spdx-3.0/example7-go-module.spdx.json similarity index 100% rename from software/example7/spdx3.0/example7-go-module.spdx.jsonld rename to software/example7/spdx-3.0/example7-go-module.spdx.json diff --git a/software/example7/spdx3.0/example7-golang.spdx.jsonld b/software/example7/spdx-3.0/example7-golang.spdx.json similarity index 100% rename from software/example7/spdx3.0/example7-golang.spdx.jsonld rename to software/example7/spdx-3.0/example7-golang.spdx.json diff --git a/software/example7/spdx3.0/example7-third-party-modules.spdx.jsonld b/software/example7/spdx-3.0/example7-third-party-modules.spdx.json similarity index 100% rename from software/example7/spdx3.0/example7-third-party-modules.spdx.jsonld rename to software/example7/spdx-3.0/example7-third-party-modules.spdx.json From 97fc56bbed98298e84d687d857e815ba2093246b Mon Sep 17 00:00:00 2001 From: Nisha Kumar Date: Wed, 7 Aug 2024 10:21:52 -0700 Subject: [PATCH 18/20] Schema fixes - Add specVersion to creationInfo object - Only one context allowed - originatedBy is an array - dataLicense is not required - Fix element list in example7-third-party-modules.spdx.json - Remove build conformance (requires more information about the build) Signed-off-by: Nisha Kumar --- .../example7/spdx-3.0/example7-bin.spdx.json | 15 +++++++-------- .../spdx-3.0/example7-go-module.spdx.json | 12 ++++++------ .../example7/spdx-3.0/example7-golang.spdx.json | 16 +++++++++------- .../example7-third-party-modules.spdx.json | 17 ++++++++++------- 4 files changed, 32 insertions(+), 28 deletions(-) diff --git a/software/example7/spdx-3.0/example7-bin.spdx.json b/software/example7/spdx-3.0/example7-bin.spdx.json index aded29f..33456f9 100644 --- a/software/example7/spdx-3.0/example7-bin.spdx.json +++ b/software/example7/spdx-3.0/example7-bin.spdx.json @@ -1,7 +1,5 @@ { - "@context": [ - "https://spdx.org/rdf/3.0.0/spdx-context.jsonld" - ], + "@context": "https://spdx.org/rdf/3.0.0/spdx-context.jsonld", "@graph": [ { "spdxId": "urn:uuid:6731cd26-926c-486b-8127-340c0f11a228", @@ -20,6 +18,7 @@ { "@id": "_:creationInfo", "type": "CreationInfo", + "specVersion": "3.0.0", "created": "2020-11-24T01:12:27Z", "createdBy": [ "urn:uuid:6731cd26-926c-486b-8127-340c0f11a228" @@ -32,7 +31,9 @@ "name": "hello", "creationInfo": "_:creationInfo", "comment": "This binary was created by building go source code", - "originatedBy": "urn:uuid:6731cd26-926c-486b-8127-340c0f11a228", + "originatedBy": [ + "urn:uuid:6731cd26-926c-486b-8127-340c0f11a228" + ], "software_primaryPurpose": "executable" }, { @@ -147,11 +148,9 @@ "comment": "This document's primary communication is the SBOM", "name": "example7-bin.spdx", "profileConformance": [ - "core", - "software", - "build" + "core", + "software" ], - "dataLicense": "CC0-1.0", "rootElement": [ "urn:uuid:4c7ec5f3-875b-4f99-8c4c-f0a718da8c4f" ] diff --git a/software/example7/spdx-3.0/example7-go-module.spdx.json b/software/example7/spdx-3.0/example7-go-module.spdx.json index 2cd842b..2b35962 100644 --- a/software/example7/spdx-3.0/example7-go-module.spdx.json +++ b/software/example7/spdx-3.0/example7-go-module.spdx.json @@ -1,7 +1,5 @@ { - "@context": [ - "https://spdx.org/rdf/3.0.0/spdx-context.jsonld" - ], + "@context": "https://spdx.org/rdf/3.0.0/spdx-context.jsonld", "@graph": [ { "spdxId": "urn:uuid:cf7dddac-8ce5-4a16-8860-ee255be7b4c8", @@ -20,6 +18,7 @@ { "@id": "_:creationInfo", "type": "CreationInfo", + "specVersion": "3.0.0", "created": "2020-11-25T01:12:27Z", "createdBy": [ "urn:uuid:cf7dddac-8ce5-4a16-8860-ee255be7b4c8" @@ -34,7 +33,9 @@ "comment": "This is version controlled source code, generated by the ssame person who made this document", "software_primaryPurpose": "source", "software_downloadLocation": "git://github.com/spdx/spdx-examples.git#software/example7/src/hello", - "originatedBy": "urn:uuid:cf7dddac-8ce5-4a16-8860-ee255be7b4c8" + "originatedBy": [ + "urn:uuid:cf7dddac-8ce5-4a16-8860-ee255be7b4c8" + ] }, { "type": "software_Sbom", @@ -56,10 +57,9 @@ "comment": "This document's primary communication is the SBOM", "name": "example7-go-module.spdx", "profileConformance": [ - "core", + "core", "software" ], - "dataLicense": "CC0-1.0", "rootElement": [ "urn:uuid:711c6f39-6c80-494e-b848-1c01e8962345" ] diff --git a/software/example7/spdx-3.0/example7-golang.spdx.json b/software/example7/spdx-3.0/example7-golang.spdx.json index ac15968..1040090 100644 --- a/software/example7/spdx-3.0/example7-golang.spdx.json +++ b/software/example7/spdx-3.0/example7-golang.spdx.json @@ -1,7 +1,5 @@ { - "@context": [ - "https://spdx.org/rdf/3.0.0/spdx-context.jsonld" - ], + "@context": "https://spdx.org/rdf/3.0.0/spdx-context.jsonld", "@graph": [ { "spdxId": "urn:uuid:cc81c9c0-c466-4e22-b3f6-945a65f5d07b", @@ -27,6 +25,7 @@ { "@id": "_:creationInfo", "type": "CreationInfo", + "specVersion": "3.0.0", "created": "2020-11-24T01:12:27Z", "createdBy": [ "urn:uuid:cc81c9c0-c466-4e22-b3f6-945a65f5d07b" @@ -42,7 +41,9 @@ "software_packageVersion": "1.16.4", "software_primaryPurpose": "install", "software_downloadLocation": "https://golang.org/dl/go1.16.4.linux-amd64.tar.gz", - "originatedBy": "urn:uuid:a5d2b614-1c0a-477d-b1fc-dc391f2c1c6d", + "originatedBy": [ + "urn:uuid:a5d2b614-1c0a-477d-b1fc-dc391f2c1c6d" + ], "verifiedUsing": [ { "type": "Hash", @@ -57,7 +58,9 @@ "name": "go", "creationInfo": "_:creationInfo", "comment": "The installation comes with an executable", - "originatedBy": "urn:uuid:a5d2b614-1c0a-477d-b1fc-dc391f2c1c6d", + "originatedBy": [ + "urn:uuid:a5d2b614-1c0a-477d-b1fc-dc391f2c1c6d" + ], "software_primaryPurpose": "executable" }, { @@ -93,10 +96,9 @@ "comment": "This document's primary communication is the SBOM", "name": "example7-golang.spdx", "profileConformance": [ - "core", + "core", "software" ], - "dataLicense": "CC0-1.0", "rootElement": [ "urn:uuid:d523d308-8348-4051-85ea-a67a14978fad" ] diff --git a/software/example7/spdx-3.0/example7-third-party-modules.spdx.json b/software/example7/spdx-3.0/example7-third-party-modules.spdx.json index 86e381b..4ce119b 100644 --- a/software/example7/spdx-3.0/example7-third-party-modules.spdx.json +++ b/software/example7/spdx-3.0/example7-third-party-modules.spdx.json @@ -1,7 +1,5 @@ { - "@context": [ - "https://spdx.org/rdf/3.0.0/spdx-context.jsonld" - ], + "@context": "https://spdx.org/rdf/3.0.0/spdx-context.jsonld", "@graph": [ { "spdxId": "urn:uuid:75f4bf57-0976-446d-869a-67856a1fa5bb", @@ -34,6 +32,7 @@ { "@id": "_:creationInfo", "type": "CreationInfo", + "specVersion": "3.0.0", "created": "2020-11-25T01:12:27Z", "createdBy": [ "urn:uuid:75f4bf57-0976-446d-869a-67856a1fa5bb" @@ -48,7 +47,9 @@ "comment": "Go module dependency. The author is not given", "software_primaryPurpose": "library", "software_downloadLocation": "git://golang.org/x/text@v0.0.0-20170915032832-14c0d48ead0c", - "originatedBy": "urn:uuid:4b3add7d-8d36-488d-b7cc-f3891af633d1" + "originatedBy": [ + "urn:uuid:4b3add7d-8d36-488d-b7cc-f3891af633d1" + ] }, { "spdxId": "urn:uuid:84e4231d-fc1d-4b4e-9609-05781f81fa73", @@ -58,7 +59,9 @@ "comment": "Go module dependency. The author is not given", "software_primaryPurpose": "library", "software_downloadLocation": "git://rsc.io/sampler@v1.3.0", - "originatedBy": "urn:uuid:1c20ec6e-6e84-417a-8b7f-51bb69f62cb2" + "originatedBy": [ + "urn:uuid:1c20ec6e-6e84-417a-8b7f-51bb69f62cb2" + ] }, { "type": "software_Sbom", @@ -71,7 +74,8 @@ ], "element": [ "urn:uuid:75f4bf57-0976-446d-869a-67856a1fa5bb", - "urn:uuid:0ae67aec-e3f7-4020-b0bc-068486068127", + "urn:uuid:4b3add7d-8d36-488d-b7cc-f3891af633d1", + "urn:uuid:1c20ec6e-6e84-417a-8b7f-51bb69f62cb2", "urn:uuid:4918b993-36f8-4e75-bf94-2f017575eae5", "urn:uuid:84e4231d-fc1d-4b4e-9609-05781f81fa73" ] @@ -86,7 +90,6 @@ "core", "software" ], - "dataLicense": "CC0-1.0", "rootElement": [ "urn:uuid:30bebcfc-096f-4cbd-9fea-da1b8c5f8ea6" ] From 23abdcc01f9b1865ea70d5db9b97f206c0ebe39d Mon Sep 17 00:00:00 2001 From: Nisha Kumar Date: Thu, 8 Aug 2024 08:30:34 -0700 Subject: [PATCH 19/20] Updates to example7 binary sbom - Recalculate hashes for ExternalMap - Remove Build element - Update relationships - Remove Build id from element list - Move all ExternalMap elements to SpdxDocument "imports" Signed-off-by: Nisha Kumar --- .../example7/spdx-3.0/example7-bin.spdx.json | 127 +++++++++--------- 1 file changed, 67 insertions(+), 60 deletions(-) diff --git a/software/example7/spdx-3.0/example7-bin.spdx.json b/software/example7/spdx-3.0/example7-bin.spdx.json index 33456f9..32e012d 100644 --- a/software/example7/spdx-3.0/example7-bin.spdx.json +++ b/software/example7/spdx-3.0/example7-bin.spdx.json @@ -36,69 +36,15 @@ ], "software_primaryPurpose": "executable" }, - { - "type": "ExternalMap", - "externalSpdxId": "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b", - "locationHint": "https://github.com/spdx/spdx-examples/software/example7/example7-golang.spdx.jsonld", - "verifiedUsing": [ - { - "type": "Hash", - "algorithm": "sha256", - "hashValue": "ffde414ff13e529e8ea834f92d0e6df9c56ebace6c359ef3fca9cb60ea6cbb63" - } - ] - }, - { - "type": "ExternalMap", - "externalSpdxId": "urn:uuid:e1877974-0aaa-48e6-931f-db4898c543f8", - "locationHint": "https://github.com/spdx/spdx-examples/software/example7/example7-go-module.spdx.jsonld", - "verifiedUsing": [ - { - "type": "Hash", - "algorithm": "sha256", - "hashValue": "28c680a0232828f5ea550a10e02e9548316d4f8c1c618ae52bdf1d8e6f5a3c3c" - } - ] - }, - { - "type": "ExternalMap", - "externalSpdxId": "urn:uuid:4918b993-36f8-4e75-bf94-2f017575eae5", - "locationHint": "https://github.com/spdx/spdx-examples/software/example7/example7-third-party-modules.spdx.jsonld", - "verifiedUsing": [ - { - "type": "Hash", - "algorithm": "sha256", - "hashValue": "9b34ebb21f3329351be6490733e17c0bd8b3cf4cc7321c0f3207c69844df133d" - } - ] - }, - { - "type": "ExternalMap", - "externalSpdxId": "urn:uuid:84e4231d-fc1d-4b4e-9609-05781f81fa73", - "locationHint": "https://github.com/spdx/spdx-examples/software/example7/example7-third-party-modules.spdx.jsonld", - "verifiedUsing": [ - { - "type": "Hash", - "algorithm": "sha256", - "hashValue": "9b34ebb21f3329351be6490733e17c0bd8b3cf4cc7321c0f3207c69844df133d" - } - ] - }, - { - "spdxId": "urn:uuid:128052d9-d307-43fc-a676-5d8791e12391", - "type": "build_Build", - "comment": "This element is used to express inputs and outputs of the go build" - }, { "type": "LifecycleScopedRelationship", "scope": "build", "spdxId": "urn:uuid:98dd3b3f-6b8f-49a1-88b6-628750516f1e", "creationInfo": "_:creationInfo", - "relationshipType": "hasInputs", - "from": "urn:uuid:128052d9-d307-43fc-a676-5d8791e12391", + "relationshipType": "usesTool", + "from": "urn:uuid:e1877974-0aaa-48e6-931f-db4898c543f8", "to": [ - "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b", - "urn:uuid:e1877974-0aaa-48e6-931f-db4898c543f8" + "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b" ] }, { @@ -106,8 +52,8 @@ "scope": "build", "spdxId": "urn:uuid:a7b65a78-8ed2-4b20-a91b-40f94ecdb81c", "creationInfo": "_:creationInfo", - "relationshipType": "hasOutputs", - "from": "urn:uuid:128052d9-d307-43fc-a676-5d8791e12391", + "relationshipType": "generates", + "from": "urn:uuid:3b2939bf-fcce-4617-a06f-115168870b95", "to": [ "urn:uuid:3773937f-6db8-49f9-920f-7d1a6b0cfcbb" ] @@ -135,7 +81,6 @@ "element": [ "urn:uuid:6731cd26-926c-486b-8127-340c0f11a228", "urn:uuid:3773937f-6db8-49f9-920f-7d1a6b0cfcbb", - "urn:uuid:128052d9-d307-43fc-a676-5d8791e12391", "urn:uuid:98dd3b3f-6b8f-49a1-88b6-628750516f1e", "urn:uuid:a7b65a78-8ed2-4b20-a91b-40f94ecdb81c", "urn:uuid:5524e7dd-5d2f-44fa-86b0-ccaa3cf6fa63" @@ -153,6 +98,68 @@ ], "rootElement": [ "urn:uuid:4c7ec5f3-875b-4f99-8c4c-f0a718da8c4f" + ], + "imports": [ + { + "type": "ExternalMap", + "externalSpdxId": "urn:uuid:a9f18ff3-17fa-419d-8966-abe4b992312b", + "locationHint": "https://github.com/spdx/spdx-examples/software/example7/example7-golang.spdx.jsonld", + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "sha256", + "hashValue": "15ed567c36a30fb37f7d19f0f471434b9453909bf62d925194efe713ede62086" + } + ] + }, + { + "type": "ExternalMap", + "externalSpdxId": "urn:uuid:3b2939bf-fcce-4617-a06f-115168870b95", + "locationHint": "https://github.com/spdx/spdx-examples/software/example7/example7-golang.spdx.jsonld", + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "sha256", + "hashValue": "15ed567c36a30fb37f7d19f0f471434b9453909bf62d925194efe713ede62086" + } + ] + }, + { + "type": "ExternalMap", + "externalSpdxId": "urn:uuid:e1877974-0aaa-48e6-931f-db4898c543f8", + "locationHint": "https://github.com/spdx/spdx-examples/software/example7/example7-go-module.spdx.jsonld", + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "sha256", + "hashValue": "7bb2343efdccb4a2a2947219c87747673854fc6b550b2f98518af342f8dded17" + } + ] + }, + { + "type": "ExternalMap", + "externalSpdxId": "urn:uuid:4918b993-36f8-4e75-bf94-2f017575eae5", + "locationHint": "https://github.com/spdx/spdx-examples/software/example7/example7-third-party-modules.spdx.jsonld", + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "sha256", + "hashValue": "0e3532e0773d24d1a3a0a58592effd67daf22ac89282dc18805e1eef23f68dfe" + } + ] + }, + { + "type": "ExternalMap", + "externalSpdxId": "urn:uuid:84e4231d-fc1d-4b4e-9609-05781f81fa73", + "locationHint": "https://github.com/spdx/spdx-examples/software/example7/example7-third-party-modules.spdx.jsonld", + "verifiedUsing": [ + { + "type": "Hash", + "algorithm": "sha256", + "hashValue": "0e3532e0773d24d1a3a0a58592effd67daf22ac89282dc18805e1eef23f68dfe" + } + ] + } ] } ] From 4a9291bc6f04856f936cd9d3e8a8f0ddcd88213a Mon Sep 17 00:00:00 2001 From: Nisha Kumar Date: Wed, 25 Sep 2024 13:46:32 -0700 Subject: [PATCH 20/20] Move files back to folder called spdx3.0 Signed-off-by: Nisha Kumar --- software/example7/{spdx-3.0 => spdx3.0}/example7-bin.spdx.json | 0 .../example7/{spdx-3.0 => spdx3.0}/example7-go-module.spdx.json | 0 software/example7/{spdx-3.0 => spdx3.0}/example7-golang.spdx.json | 0 .../{spdx-3.0 => spdx3.0}/example7-third-party-modules.spdx.json | 0 4 files changed, 0 insertions(+), 0 deletions(-) rename software/example7/{spdx-3.0 => spdx3.0}/example7-bin.spdx.json (100%) rename software/example7/{spdx-3.0 => spdx3.0}/example7-go-module.spdx.json (100%) rename software/example7/{spdx-3.0 => spdx3.0}/example7-golang.spdx.json (100%) rename software/example7/{spdx-3.0 => spdx3.0}/example7-third-party-modules.spdx.json (100%) diff --git a/software/example7/spdx-3.0/example7-bin.spdx.json b/software/example7/spdx3.0/example7-bin.spdx.json similarity index 100% rename from software/example7/spdx-3.0/example7-bin.spdx.json rename to software/example7/spdx3.0/example7-bin.spdx.json diff --git a/software/example7/spdx-3.0/example7-go-module.spdx.json b/software/example7/spdx3.0/example7-go-module.spdx.json similarity index 100% rename from software/example7/spdx-3.0/example7-go-module.spdx.json rename to software/example7/spdx3.0/example7-go-module.spdx.json diff --git a/software/example7/spdx-3.0/example7-golang.spdx.json b/software/example7/spdx3.0/example7-golang.spdx.json similarity index 100% rename from software/example7/spdx-3.0/example7-golang.spdx.json rename to software/example7/spdx3.0/example7-golang.spdx.json diff --git a/software/example7/spdx-3.0/example7-third-party-modules.spdx.json b/software/example7/spdx3.0/example7-third-party-modules.spdx.json similarity index 100% rename from software/example7/spdx-3.0/example7-third-party-modules.spdx.json rename to software/example7/spdx3.0/example7-third-party-modules.spdx.json