From 0411bc87f947d6179bce38916f3f6477ad86ad8d Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Thu, 26 Sep 2024 15:55:17 +0700 Subject: [PATCH 1/7] Fix typo: hasDistributionArifact -> hasDistributionArtifact Signed-off-by: Arthit Suriyawongkul --- docs/diffs-from-previous-editions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/diffs-from-previous-editions.md b/docs/diffs-from-previous-editions.md index 8fc1f2b..ad3db27 100644 --- a/docs/diffs-from-previous-editions.md +++ b/docs/diffs-from-previous-editions.md @@ -133,7 +133,7 @@ The packageFileName property and packageChecksum property has been replaced by a ##### Translating from 2.3 to 3.0 -Create an SPDX File with the name from the packageFileName and a verifiedUsing value from the packageChecksum for a single file. If the packageFileName is a directory, then the SPDX File is created with the directory name and is verified using the contentIdentifier property on the File and a fileKind of directory. Create a hasDistributionArifact relationship from the SPDX Package to the SPDX File. +Create an SPDX File with the name from the packageFileName and a verifiedUsing value from the packageChecksum for a single file. If the packageFileName is a directory, then the SPDX File is created with the directory name and is verified using the contentIdentifier property on the File and a fileKind of directory. Create a hasDistributionArtifact relationship from the SPDX Package to the SPDX File. ##### Rationale From 924b1a379ca1023a4abeaa5fdcdd042bc9f328d7 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Thu, 26 Sep 2024 15:58:18 +0700 Subject: [PATCH 2/7] SpecVersiononly -> SpecVersion only Signed-off-by: Arthit Suriyawongkul --- docs/diffs-from-previous-editions.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docs/diffs-from-previous-editions.md b/docs/diffs-from-previous-editions.md index ad3db27..9434ab7 100644 --- a/docs/diffs-from-previous-editions.md +++ b/docs/diffs-from-previous-editions.md @@ -309,7 +309,8 @@ Changing the snippetFromFile from a property to a relationship [to be filled in] The type of SpecVersion is changed from a simple string without constraints to a SemVer string which must follow the [Semantic Versioning format](https://semver.org/). -This adds a constraint where a patch version is required. Previous usage of the SpecVersiononly included the major and minor version. +This adds a constraint where a patch version is required. +Previous usage of the SpecVersion only included the major and minor version. ##### Translating from 2.3 to 3.0 From 02768c16cd803f13889b7aeb18d039fd551f525d Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Thu, 26 Sep 2024 16:29:59 +0700 Subject: [PATCH 3/7] ContentIdentifers -> ContentIdentifiers Signed-off-by: Arthit Suriyawongkul --- docs/diffs-from-previous-editions.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/diffs-from-previous-editions.md b/docs/diffs-from-previous-editions.md index 9434ab7..c219c60 100644 --- a/docs/diffs-from-previous-editions.md +++ b/docs/diffs-from-previous-editions.md @@ -158,7 +158,7 @@ The following ExternalRef Types should be converted to ExternalIdentifiers: - swid - purl -The following ExternalRef Types should be converted to ContentIdentifers: +The following ExternalRef Types should be converted to ContentIdentifiers: - gitoid - swh @@ -185,7 +185,7 @@ If there is a single ExternalReference of type purl without the optional Externa ##### Rationale -Package URL is a very common method of identifying software packages. Moving this to a property makes it significantly simpler to find and correlate Package URL identifiers. +Package URL is a very common method of identifying software packages. Moving this to a property makes it significantly simpler to find and correlate Package URL identifiers. #### Annotation @@ -193,7 +193,7 @@ Package URL is a very common method of identifying software packages. Moving t Annotations are now subclasses of Element, so it inherits a number of new optional properties including names, annotations, and its own relationships. -Annotations are no longer a property of an Element. It is now a standalone element with a “subject” field which points to the Element being annotated. +Annotations are no longer a property of an Element. It is now a standalone element with a “subject” field which points to the Element being annotated. ##### Translating from 2.3 to 3.0 From 3b04902742fe997940b9b9239b0de153b9b12870 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Fri, 27 Sep 2024 05:39:12 +0700 Subject: [PATCH 4/7] definingDocument -> definingArtifact Signed-off-by: Arthit Suriyawongkul --- docs/diffs-from-previous-editions.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/diffs-from-previous-editions.md b/docs/diffs-from-previous-editions.md index c219c60..3607ec3 100644 --- a/docs/diffs-from-previous-editions.md +++ b/docs/diffs-from-previous-editions.md @@ -37,7 +37,7 @@ Each ExternalDocumentRef instance will translate as follows: - An integrity method of “Hash” will be created with the same information as the checksum property and will be referenced using the “verifiedUsing” property on the ExternalMap entry. - An entry would be created in the ExternalMap for each element referenced in the current SpdxDocument that is originally specified in the referenced SpdxDocument. - A string identifier consisting of the DocumentRef-[idstring] (the same value as the prefix in the NamespaceMap) concatenated with a “:” and then concatenated with the local portion of the element identifier would be used for the externalSpdxId in the ExternalMap - - A “definingDocument” property would be specified containing a string identifier consisting of the DocumentRef-[idstring] concatenated with a “:” and then concatenated with “SPDXRef-DOCUMENT”. This is a shortcut linkage to tie the referenced element to its defining SpdxDocument for verification and location information. + - A “definingArtifact” property would be specified containing a string identifier consisting of the DocumentRef-[idstring] concatenated with a “:” and then concatenated with “SPDXRef-DOCUMENT”. This is a shortcut linkage to tie the referenced element to its defining SpdxDocument for verification and location information. ##### Rationale @@ -51,7 +51,7 @@ The ExternalDocumentRef structure in SPDX 2.3 is based on the presumptions that The Namespace map structure in SPDX 3.0 fully supports the namespace prefixing use case for SpdxDocuments previously covered by ExternalDocumentRef but also equally covers the same use case capability for all element types and for any number of element identifier namespaces (in SPDX 3.0 all elements within an SpdxDocument are not required to have the same namespace and can actually be any desired mix of namespaces) to support this capability required in SPDX 3.0. -The ExternalMap structure in SPDX 3.0 fully supports the external element (including SpdxDocument elements) referencing use case for SpdxDocuments previously covered by ExternalDocumentRef but also equally covers the same use case capability for any elements whether they were originally defined within an SpdxDocument or not to support this capability required in SPDX 3.0. The ExternalMap structure in SPDX 3.0 provides the ability to specify verification and location details for any element, not just SpdxDocuments, if appropriate but also provides simple linkage, using the “definingDocument'' property, from element entries in the ExternalMap to SpdxDocument entries in the ExternalMap where the elements were defined within the SpdxDocument and verification of the elements can be achieved via proxy to the SpdxDocument “verifiedUsing” information (this is how the SPDX 2.3 ExternalDocumentRef structure currently works). +The ExternalMap structure in SPDX 3.0 fully supports the external element (including SpdxDocument elements) referencing use case for SpdxDocuments previously covered by ExternalDocumentRef but also equally covers the same use case capability for any elements whether they were originally defined within an SpdxDocument or not to support this capability required in SPDX 3.0. The ExternalMap structure in SPDX 3.0 provides the ability to specify verification and location details for any element, not just SpdxDocuments, if appropriate but also provides simple linkage, using the “definingArtifact” property, from element entries in the ExternalMap to SpdxDocument entries in the ExternalMap where the elements were defined within the SpdxDocument and verification of the elements can be achieved via proxy to the SpdxDocument “verifiedUsing” information (this is how the SPDX 2.3 ExternalDocumentRef structure currently works). #### Agent From 241401a98290fa20f1931d75537b9169424c7f40 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Fri, 27 Sep 2024 14:41:27 +0700 Subject: [PATCH 5/7] ExtractedLicenseInfo -> extractedText (in ExtractedLicensingInfo class) Signed-off-by: Arthit Suriyawongkul --- docs/diffs-from-previous-editions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/diffs-from-previous-editions.md b/docs/diffs-from-previous-editions.md index 3607ec3..1291c0c 100644 --- a/docs/diffs-from-previous-editions.md +++ b/docs/diffs-from-previous-editions.md @@ -690,7 +690,7 @@ Custom Additions have been added in SPDX 3.0 which operate in a similar manner t ##### SPDX 2.3 Model Name -ExtractedLicenseInfo +extractedText ##### Tag/Value Name From 9dd0d041a6b9cd4df6a3606c6ba8e290f0a85828 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Fri, 27 Sep 2024 14:48:01 +0700 Subject: [PATCH 6/7] LicenseInfoInFiles -> LicenseInfoInFile Signed-off-by: Arthit Suriyawongkul --- docs/diffs-from-previous-editions.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/diffs-from-previous-editions.md b/docs/diffs-from-previous-editions.md index 1291c0c..3a33227 100644 --- a/docs/diffs-from-previous-editions.md +++ b/docs/diffs-from-previous-editions.md @@ -358,15 +358,15 @@ LicenseException This field has not been used. -#### LicenseInfoInFiles +#### LicenseInfoInFile ##### SPDX 2.3 Model Name -licenseInfoInFiles +licenseInfoInFile ##### Tag/Value Name -LicenseInfoInFiles +LicenseInfoInFile ##### Range / Where Used @@ -374,7 +374,7 @@ Package ##### Rationale -This field is redundant with the declaredLicense property in the Files contained in the Package. It is recommended that the licenseInfoInFiles can be added as an Annotation to the Package in the format: “SPDX 2.X LicenseInfoInFiles: [expression1], [expression2]” where the [expressions] are the string representation of the license expressions. +This field is redundant with the declaredLicense property in the Files contained in the Package. It is recommended that the licenseInfoInFile can be added as an Annotation to the Package in the format: “SPDX 2.X LicenseInfoInFile: [expression1], [expression2]” where the [expressions] are the string representation of the license expressions. #### FilesAnalyzed From be4efc7815488b720b4433a3bb0330636c989821 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Tue, 1 Oct 2024 22:39:07 +0700 Subject: [PATCH 7/7] Add application/spdx+json to SPDX in Content Type table Signed-off-by: Arthit Suriyawongkul --- docs/diffs-from-previous-editions.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/diffs-from-previous-editions.md b/docs/diffs-from-previous-editions.md index 3a33227..791739c 100644 --- a/docs/diffs-from-previous-editions.md +++ b/docs/diffs-from-previous-editions.md @@ -113,17 +113,17 @@ An example conversion table from SPDX 2.3 `FileType` to SPDX 3.0 `ContentType` o | SPDX 2 File Type | SPDX 3 Software Purpose | SPDX 3 Content Type | |------------------|-------------------------|---------------------| -| ARCHIVE | Archive | | +| ARCHIVE | archive | | | BINARY | | application/octet-stream | -| SOURCE | Source | | +| SOURCE | source | | | TEXT | | text/plain | -| APPLICATION | Application | | +| APPLICATION | application | | | AUDIO | | audio/* | | IMAGE | | image/* | | VIDEO | | video/* | -| DOCUMENTATION | Documentation | | -| SPDX | | text/spdx | -| OTHER | Other | | +| DOCUMENTATION | documentation | | +| SPDX | | application/spdx+json, text/spdx | +| OTHER | other | | #### Package File Name