Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a packagePurpose parameter to SPDX Package #621

Closed
goneall opened this issue Jan 28, 2022 · 4 comments · Fixed by #622
Closed

Add a packagePurpose parameter to SPDX Package #621

goneall opened this issue Jan 28, 2022 · 4 comments · Fixed by #622
Milestone
2.3

Comments

@goneall
Copy link
Member

goneall commented Jan 28, 2022

When discussing the security vulnerability use cases, it would be valuable to know if an SPDX Package represents source files used to compile a package, a binary distribution of a package, or a container.

This would also allow for higher fidelity translations between CycloneDX and SPDX SBOM types.

Propose the cardinality be 0..* since more than one type may apply (e.g. the packageFile contains the binary executables plus all the source files used to create it). Making it optional would allow compatibility with the current SPDX release.

Proposed initial set of cardinality values:

  • sourcedistro - A source distribution of a package where all the source files necessary to compile or run an application or library is present
  • application (compatible with CycloneDX)
  • framework (compatible with CycloneDX)
  • library (compatible with CycloneDX)
  • container (compatible with CycloneDX)
  • operating-system (compatible with CycloneDX)
  • device (compatible with CycloneDX)
  • firmware (compatible with CycloneDX)
  • binarydistro - A single file binary distribution. May map to CycloneDX File.
  • distributedfile - A single file which may have its own version and originator (e.g. a properties file or a script). May map to CycloneDX File.
@goneall
Copy link
Member Author

goneall commented Jan 28, 2022

Note: This is related to issue #171 Resolving #171 may not be necessary if this issue is resolved.

@nishakm
Copy link
Contributor

nishakm commented Jan 29, 2022

cc: @rnjudge @puerco

@iamwillbar
Copy link
Collaborator

In SPDX 3.0 we called that property packagePurpose and its data type is an enum called SoftwarePurpose (which overlaps with that list). We also added snippetPurpose and filePurpose properties to Snippet and File.

@nishakm
Copy link
Contributor

nishakm commented Feb 1, 2022

@iamwillbar is there a list of SoftwarePurpose we can use?

@goneall goneall changed the title Add a type parameter to SPDX Package Add a packagePurpose parameter to SPDX Package Feb 5, 2022
nishakm pushed a commit to nishakm/spdx-spec that referenced this issue Feb 8, 2022
Add Package Purpose field
613227d 
Fixes spdx#621

Signed-off-by: Nisha K <[email protected]>
@nishakm nishakm mentioned this issue Feb 8, 2022
Merged
@kestewart kestewart added this to the 2.3 milestone Mar 8, 2022
nishakm pushed a commit to nishakm/spdx-spec that referenced this issue Mar 9, 2022
@nishakm
Add Package Purpose field
91a9133 
Fixes spdx#621

Signed-off-by: Nisha K <[email protected]>
nishakm pushed a commit to nishakm/spdx-spec that referenced this issue Apr 1, 2022
@nishakm
Add Package Purpose field
555cc32 
Fixes spdx#621

Signed-off-by: Nisha K <[email protected]>
nishakm pushed a commit to nishakm/spdx-spec that referenced this issue Apr 1, 2022
@nishakm
Add Package Purpose field
1026215 
Fixes spdx#621

Signed-off-by: Nisha K <[email protected]>
nishakm pushed a commit to nishakm/spdx-spec that referenced this issue Apr 28, 2022
@nishakm
Add Package Purpose field
ba088fe 
- Add information about "package" in the information section
- Add metadata about Package Purpose

Fixes spdx#621

Signed-off-by: Nisha K <[email protected]>
nishakm pushed a commit to nishakm/spdx-spec that referenced this issue Apr 28, 2022
@nishakm
Add Package Purpose field
722bd20 
- Add information about "package" in the information section
- Add metadata about Package Purpose

Fixes spdx#621

Signed-off-by: Nisha K <[email protected]>
nishakm pushed a commit to nishakm/spdx-spec that referenced this issue Apr 28, 2022
@nishakm
Add Package Purpose field
d5a0c46 
- Add information about "package" in the information section
- Add metadata about Package Purpose

Fixes spdx#621

Signed-off-by: nisha (Oracle) <[email protected]>
nishakm pushed a commit to nishakm/spdx-spec that referenced this issue May 2, 2022
@nishakm
Add Package Purpose field
0531f15 
- Add information about "package" in the information section
- Add metadata about Package Purpose

Fixes spdx#621

Signed-off-by: nisha (Oracle) <[email protected]>
nishakm added a commit to nishakm/spdx-spec that referenced this issue May 10, 2022
@nishakm
Add Package Purpose field
d66bab6 
- Add information about "package" in the information section
- Add metadata about Package Purpose

Fixes spdx#621

Signed-off-by: nisha <[email protected]>
kestewart pushed a commit that referenced this issue May 10, 2022
@nishakm @kestewart
Add Package Purpose field
185a7d1 
- Add information about "package" in the information section
- Add metadata about Package Purpose

Fixes #621

Signed-off-by: nisha <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
2.3
Development

Successfully merging a pull request may close this issue.

Add Package Purpose field nishakm/spdx-spec
4 participants
@goneall @nishakm @iamwillbar @kestewart