Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add Lite profile examples #91

Open
wants to merge 56 commits into
base: master
Choose a base branch
from

Conversation

NorioKobota
Copy link

We implemented three samples that show how to use Lite Profile.
We would appriciate your review.

Copy link
Contributor

@JPEWdev JPEWdev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CI with likely find many more problems once it runs. I'll admit that the output of the checks, while very through, can be difficult to interpret. If you run into trouble getting these to pass CI, let me know and I can help interpret the errors.

Overall, the structure of these documents seems fine, they just need to conform to the JSON schema and SHACL model (which is done by CI) and they should be OK

@@ -0,0 +1,189 @@
{
"@context": "https://raw.githubusercontent.com/spdx/spdx-3-serialization-prototype-playground/main/jsonld/spdx-3.0-context.json-ld",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is the example context URL, the actual URL needs to be used now, which is:

"@context": "https://spdx.github.io/spdx-spec/v3.0/model/spdx-context.jsonld"

"@graph": [
{
"type": "SpdxDocument",
"spdxId": "http://spdx.example.com/Document/1",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

http://spdx.example.com/Document/1 is not a good example spdxId. An SPDX ID needs some universally unique identifier, and SPDX has a defined URL prefix of https://spdx.org/spdxdocs/ for the case where the producer doesn't have their own domain. Thus, your spdx ID should probably look something like:

"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/Document/1"

The https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/ prefix can be reused for all the other objects in this document keeping the existing scheme of appending the type and an index if you desire.

"algorithm": "sha3_512",
"hashValue": "hash value of Sbom object"
}],
"rootElement": "http://spdx.example.com/Sbom/1",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe this has to be an array to validate:

"rootElement": [ "http://spdx.example.com/Sbom/1" ],

"type": "NamespaceMap",
"prefix": "lite-example",
"namespace": "http://spdx.example.com/Lite/1"
}],
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This namespace map is not used in the document, so please remove it for clarity

"dataLicense": "CC0-1.0"
},
{
"type": "Sbom",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Object types are always prefixed by their namespace (e.g. profile) unless they are from core, so this needs to be:

"type": "software_Sbom",

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! I will fix them.
Just curious, why prefix these with profile names?
In particular, JSON is structured, and I personally think that it is possible to understand the context depending on which closure contains the same key value.
If there are discussions in the past, I would appreciate it if you could give me pointers.

"http://spdx.example.com/Relationship/2",
"http://spdx.example.com/Relationship/3"
],
"sbomType": "build"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Property names are always prefix by their namespace (e.g. profile) unless they are from core, so this needs to be:

"software_sbomType": [ "build" ],

Also be aware that SPDX 3.0 JSON doesn't allow array eliding, so if a property has any max ordinality other than 1, it must be an array in JSON, even if it only contains one item.

"http://spdx.example.com/Package/1"
],
"relationshipType": "underInvestigationFor",
"/Core/suppliedBy": [
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just suppliedBy for the property name. Namespacing of properties and types is handled as described above

Copy link

@no-ta no-ta Jul 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"/Core/suppliedBy" is the description in the SPDX specification as follows.
How can I modify this, is it acceptable to remove "/Core/"?

/Core/suppliedBy
type: /Core/Agent
minCount: 0
maxCount: 1

Copy link
Contributor

@JPEWdev JPEWdev Jul 9, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, in this case it's just Agent, it's important to remember that the names of objects and properties in the "model" described in the SPDX 3 spec are not the same as the types and property names used in any given serialization format. The serialization formats have different rules for how to translate the model names to types and properties. The JSON rules are described in my other comments, but to be explicit, it is:

Object types and properties from the Core namespace have no prefix (e.g. /Core/Agent is Agent). Object types and properties from other namespaces are prefixed by a lower case version of the namespace + "_" (e.g. /Software/Sbom is software_Sbom, /Software/sbomType is software_sbomType).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

And to be clear, the namespace of the object type is irrelevent to the naming of properties. For example, even though this software_Sbom object is in the Software namespace, the exact same rules described above apply to all its properties, so it's just suppliedBy not core_suppliedBy, and software_sbomType not sbomType.

The reason for this is that the mapping of type names and properties is context-free (e.g. global), so it doesn't depend on which specific object the property is found in.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your clarification.
I can understand how to describe json format from the specification.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason for this is that the mapping of type names and properties is context-free (e.g. global), so it doesn't depend on which specific object the property is found in.

I don’t fully understand it yet, but I understand this is the answer for this comment. #91 (comment)
Thanks.

@@ -0,0 +1,189 @@
{
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This document needs two things to be checked by CI:

  1. It needs to have a ".json" extension instead of ".jsonld"
  2. It needs to existing in a "spdx-3.0" directory

As such, I would recommend naming this file: lite/example1-with-VEX/spdx-3.0/Lite-example-1-1-with-VEX.spdx.json and naming the other examples in this PR similarly

no-ta added 16 commits July 10, 2024 17:46
Signed-off-by: Nobuyuki Tanaka <[email protected]>
Signed-off-by: Nobuyuki Tanaka <[email protected]>
Signed-off-by: Nobuyuki Tanaka <[email protected]>
Signed-off-by: Nobuyuki Tanaka <[email protected]>
Signed-off-by: Norio Kobota <[email protected]>
@kestewart kestewart requested a review from JPEWdev August 20, 2024 16:13
bact

This comment was marked as resolved.

NorioKobota and others added 5 commits January 9, 2025 18:49
….json

Co-authored-by: Arthit Suriyawongkul <[email protected]>
Signed-off-by: Norio Kobota <[email protected]>
….json

Co-authored-by: Arthit Suriyawongkul <[email protected]>
Signed-off-by: Norio Kobota <[email protected]>
….json

Co-authored-by: Arthit Suriyawongkul <[email protected]>
Signed-off-by: Norio Kobota <[email protected]>
Co-authored-by: Arthit Suriyawongkul <[email protected]>
Signed-off-by: Norio Kobota <[email protected]>
Co-authored-by: Arthit Suriyawongkul <[email protected]>
Signed-off-by: Norio Kobota <[email protected]>
@bact
Copy link
Contributor

bact commented Jan 9, 2025

@NorioKobota do you mind to move all SPDX JSON files from spdx-3.0/ folder to spdx3.0/ folder please? Thank you

The current workflow is now looking for files in spdx3.0/ (to make is consistent with previous spdx2.0/).

for f in $(find . -type f -path '*/spdx3.0/*.json'); do

@NorioKobota
Copy link
Author

@bact Sure.
I will do it and the rest of the change request. Sorry for the late reply.
Thanks!

Comment on lines 99 to 103
"type": "simpleLicensing_LicenseExpression",
"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
"creationInfo": "_:creationinfo",
"simpleLicensing_licenseExpression": "GPL-2.0-only",
"simpleLicensing_licenseListVersion": "3.23.0"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"type": "simpleLicensing_LicenseExpression",
"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
"creationInfo": "_:creationinfo",
"simpleLicensing_licenseExpression": "GPL-2.0-only",
"simpleLicensing_licenseListVersion": "3.23.0"
"type": "simplelicensing_LicenseExpression",
"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
"creationInfo": "_:creationinfo",
"simplelicensing_licenseExpression": "GPL-2.0-only",
"simplelicensing_licenseListVersion": "3.23.0"

Comment on lines 87 to 91
"type": "simpleLicensing_LicenseExpression",
"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
"creationInfo": "_:creationinfo",
"simpleLicensing_licenseExpression": "MIT",
"simpleLicensing_licenseListVersion": "3.23.0"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"type": "simpleLicensing_LicenseExpression",
"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
"creationInfo": "_:creationinfo",
"simpleLicensing_licenseExpression": "MIT",
"simpleLicensing_licenseListVersion": "3.23.0"
"type": "simplelicensing_LicenseExpression",
"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
"creationInfo": "_:creationinfo",
"simplelicensing_licenseExpression": "MIT",
"simplelicensing_licenseListVersion": "3.23.0"

Comment on lines 95 to 99
"type": "simpleLicensing_LicenseExpression",
"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
"creationInfo": "_:creationinfo",
"simpleLicensing_licenseExpression": "MIT",
"simpleLicensing_licenseListVersion": "3.23.0"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"type": "simpleLicensing_LicenseExpression",
"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
"creationInfo": "_:creationinfo",
"simpleLicensing_licenseExpression": "MIT",
"simpleLicensing_licenseListVersion": "3.23.0"
"type": "simplelicensing_LicenseExpression",
"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
"creationInfo": "_:creationinfo",
"simplelicensing_licenseExpression": "MIT",
"simplelicensing_licenseListVersion": "3.23.0"

Comment on lines 95 to 99
"type": "simpleLicensing_LicenseExpression",
"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
"creationInfo": "_:creationinfo",
"simpleLicensing_licenseExpression": "MIT",
"simpleLicensing_licenseListVersion": "3.23.0"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
"type": "simpleLicensing_LicenseExpression",
"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
"creationInfo": "_:creationinfo",
"simpleLicensing_licenseExpression": "MIT",
"simpleLicensing_licenseListVersion": "3.23.0"
"type": "simplelicensing_LicenseExpression",
"spdxId": "https://spdx.org/spdxdocs/08f113e9-a0b0-4482-a0ed-c4e18e5136be/LicenseExpression/1",
"creationInfo": "_:creationinfo",
"simplelicensing_licenseExpression": "MIT",
"simplelicensing_licenseListVersion": "3.23.0"

json and png: amends of relationshipType in VEX relationship is modified to amendedBy to meet specification
@NorioKobota
Copy link
Author

@bact
I believe I have fixed everything except dataLicense, could you please review it?
Also, is there an example of how to write dataLicense somewhere?

Copy link
Contributor

@bact bact left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you. Few minor changes suggested. After this I think we are good to go.

NorioKobota and others added 3 commits January 28, 2025 16:51
Co-authored-by: Arthit Suriyawongkul <[email protected]>
Signed-off-by: Norio Kobota <[email protected]>
Co-authored-by: Arthit Suriyawongkul <[email protected]>
Signed-off-by: Norio Kobota <[email protected]>
Co-authored-by: Arthit Suriyawongkul <[email protected]>
Signed-off-by: Norio Kobota <[email protected]>
@NorioKobota
Copy link
Author

Thank you so much for the review.
I confirmed and committed your suggestions.

@bact
Copy link
Contributor

bact commented Jan 28, 2025

Thank you @NorioKobota and @no-ta . I think it's pretty much all good.

Now we need a maintainer to approve the validation workflow - to let it pass the validation before merge.

(Note that I have removed all my suggestions that are already resolved, since they are too long, to make this PR easier to read)

@bact
Copy link
Contributor

bact commented Jan 28, 2025

@zvr @goneall if you have some time to approve the workflow, thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants