Skip to content
This repository has been archived by the owner on Aug 27, 2022. It is now read-only.

Clarify Document artifacts attribute semantics #9

Open
goneall opened this issue Jan 9, 2020 · 2 comments
Open

Clarify Document artifacts attribute semantics #9

goneall opened this issue Jan 9, 2020 · 2 comments

Comments

@goneall
Copy link
Collaborator

goneall commented Jan 9, 2020

Clarify the semantics of the artifacts/documentDescribes in the Document as to whether this association is just for the artifacts described by the document or ALL artifacts contained within the SBOM.

SPDX uses the similar documentDescribes to describe the Artifacts the document is describing. The documentDescribes does not include all artifacts included in the document (e.g. if the Document is describing a package and that package contains files, the files will be included in the document but would not be part of the documentDescribes attribute).

Propose artifacts/documentDescribes having the same semantics as SPDX.

@CASTResearchLabs
Copy link
Collaborator

in the current proposition, the "artifacts" were the pieces of software the "Document" is providing visibility about, even if limited (e.g., limited to the fields from the "Artifact" class alone) and the "referencedArtifacts" from the "Document" were only references to pieces of software that are useful in the context of the "Document" to define relationships, activities, etc. but they are outside the perimeter of the "Document".
to reuse the example from previous comment, if the Document is describing a package and that package contains files, the files will also be included in the document but would not be part of the artifacts attribute, they would be part of the files attribute of the Artifacts from the artifacts attribute of the Document.

@goneall
Copy link
Collaborator Author

goneall commented Jan 14, 2020

@CASTResearchLabs thanks for the additional explanation.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants