summaryrefslogtreecommitdiffstats
path: root/README.SPDX3
blob: 57f98756ab9cf2a93a42cfbd2620de50055edecd (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

This repository contains the Proof-of-Concept code for SPDX3 support
in the Yocto Project.

What does the code include:
* The SPDX3 generation with JSON-LD serialization, still using .json extension
* Implementations of the core, and software profiles

Here are the known limitations:
* At the time of writing this code, the SPDX3 specification is still undergoing
  changes. Especially, the root element has not been yet decided. Because of
  that, the code might require changes when the final specification is
  released.

* Some parts of the SPDX3 require clarifications. Current issues:
  - Software.Package.homepage is sometiemes also called homePage: need to
    confirm spelling
  - Core.Relationship.from needs special care in Python as it conflicts
    with a built-in
  - should suppliedBy be serialized by an array or as a single string?
  - In examples, SpdxDocument has an attribute namespace. It does not in the
    documentation
  - what is the equivalent of the documentNamespace that was in 2.2?

* SPDX3 introduces modular model, where content depends on the profile used.
  The configuration of profiles to generate needs to be reworked. Today,
  generation is gated by variables shared with SPDX2.2 code like
  SPDX_INCLUDE_SOURCES. In SPDX3 it could be done by enabling specific
  profiles and variables like SPDX3_ENABLE_LICENSING or SPDX3_ENABLE_SECURITY.

* The implementation includes data similar to the YP SPDX 2.2 content. SPDX 3.0
  has additional profiles and fields that did not exist in the earier version.
  The project needs a discussion on what is useful to include in the YP SPDX.
  Additional profiles and classes might be implemented to carry that data.

* The security profile implementation has been prototyped. However, some part
  of the needed data is necessary from the cve-check database (for example:
  CVSS). Obtaining the information is possible, but will require dependency on
  the cve-check to download the database, then refactoring of the cve-check
  database accesses so that they can be done from other classes while keeping
  correct locks. Also, VulnAssessmentRelationship requires classification
  of fixes as "Fixed", "NotAffected", while YP cve-check has only one category
  for both. At the moment of writing this, there is a patch on the ML.
generated by cgit 1.2.3-korg (git 2.39.0) at 2024-05-20 22:07:29 +0000