[Question] typo ? #136
Comments
|
Hi Masahiro-san,
No, it is the CreatorComment field (section 6.10 on the SPDX 2.3 standard).
Best regards,
Marc-Etienne
…--
Marc-Etienne Vargenau ***@***.******@***.***>
Nokia, 12, rue Jean-Bart, 91300 Massy, FRANCE
Mobile: +33 6 24 49 78 68<tel:+33624497868>
Senior Specialist Open Source
Planned absence: none
De : Masahiro DAIKOKU ***@***.***>
Date : vendredi, 6 décembre 2024 à 14:19
À : OpenChain-Project/Telco-WG ***@***.***>
Cc : Subscribed ***@***.***>
Objet : [OpenChain-Project/Telco-WG] [Question] typo ? (Issue #136)
Question
In section 3.5, there is the following statement
SBOMs conforming to the OpenChain Telco SBOM Guide MUST contain information … to which version of the software they were created (using the SPDX CreatorComment field).
Does this mean the SPDX Creator field?
—
Reply to this email directly, view it on GitHub<#136>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAC4KKWL5DXXJY32JAB22KD2EGP47AVCNFSM6AAAAABTEUZWYGVHI2DSMVQWIX3LMV43ASLTON2WKOZSG4ZDGMBUGY3TSNY>.
You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>
|
|
Thank you for your reply. If the description specifying the SBOM creating tool does not follow the “toolidentifier-version” syntax described in the Creator field of section 6.10 of the SPDX specification, the Creator comment field may be used as in the example in section 3.5.2 of the SBOM Guide. Is this correct? |
|
Hi Masahiro-san,
We require (MUST) that both the tool name and the tool version are present in the Creator field.
We recommend, but do not enforce (SHOULD) a syntax tool name - tool version because most tools do not follow this syntax (see examples in the rationale section).
So, there is no need to use the CreatorComment for this.
I hope this answers your question.
Best regards,
Marc-Etienne
…--
Marc-Etienne Vargenau ***@***.******@***.***>
Nokia, 12, rue Jean-Bart, 91300 Massy, FRANCE
Mobile: +33 6 24 49 78 68<tel:+33624497868>
Senior Specialist Open Source
Planned absence: 20 December – 5 January
De : Masahiro DAIKOKU ***@***.***>
Date : vendredi, 6 décembre 2024 à 15:50
À : OpenChain-Project/Telco-WG ***@***.***>
Cc : Marc-Etienne Vargenau (Nokia) ***@***.***>, Comment ***@***.***>
Objet : Re: [OpenChain-Project/Telco-WG] [Question] typo ? (Issue #136)
Thank you for your reply.
If the description specifying the SBOM creating tool does not follow the “toolidentifier-version” syntax described in the Creator field of section 6.10 of the SPDX specification, the Creator comment field may be used as in the example in section 3.5.2 of the SBOM Guide.
Is this correct?
—
Reply to this email directly, view it on GitHub<#136 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAC4KKVEEJA7OWQWKJUG5FT2EG2RXAVCNFSM6AAAAABTEUZWYGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKMRTGQYTONZTGQ>.
You are receiving this because you commented.Message ID: ***@***.***>
|
|
Hi Marc-san, Thank you very much for your kind reply, it is very much appreciated. If the syntax of the Creator field "Creator: Tool: toolidentifier-version" as defined in the SPDX specification cannot be complied with, strict compliance with the syntax is not mandatory. How about adding the following text to section 3.5.2 to make it easier to understand for readers with limited understanding, including myself? "The following description is also acceptable as a value for the Creator field." |
|
Hi Marc-san, I ran the open-chain-sbom-validator with the three examples described in Section 3.5.2. |
|
Hi Masahiro-san,
I cannot reproduce the error with "Creator: Tool: sigs.k8s.io/bom/pkg/spdx" in the latest version of the validator.
Which version of the validator were you using?
Best regards,
Marc-Etienne
…--
Marc-Etienne Vargenau ***@***.******@***.***>
Nokia, 12, rue Jean-Bart, 91300 Massy, FRANCE
Mobile: +33 6 24 49 78 68<tel:+33624497868>
Senior Specialist Open Source
Planned absence: none
De : Masahiro DAIKOKU ***@***.***>
Date : vendredi, 13 décembre 2024 à 05:50
À : OpenChain-Project/Telco-WG ***@***.***>
Cc : Marc-Etienne Vargenau (Nokia) ***@***.***>, Comment ***@***.***>
Objet : Re: [OpenChain-Project/Telco-WG] [Question] typo ? (Issue #136)
Hi Marc-san,
I ran the open-chain-sbom-validator with the three examples described in Section 3.5.2.
As a result, the second and third examples did not output an error in the tool, but the first example "Creator: Tool: sigs.k8s.io/bom/pkg/spdx" did output an "Missing or invalid field in CreationInfo::Creator" error type message.
I apologize if I have made a mistake in the operation.
—
Reply to this email directly, view it on GitHub<#136 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AAC4KKW53VKZSAH77XXZ5M32FJRPPAVCNFSM6AAAAABTEUZWYGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNBQGU2DMMZSGQ>.
You are receiving this because you commented.Message ID: ***@***.***>
|
|
Hi Marc-san and Csatari-san, |
Question
In section 3.5, there is the following statement
SBOMs conforming to the OpenChain Telco SBOM Guide MUST contain information … to which version of the software they were created (using the SPDX CreatorComment field).
Does this mean the SPDX Creator field?
The text was updated successfully, but these errors were encountered: