[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Artifact, or Element, or Package



Hi all,

 

Here is another nomenclature question for our group.  I was talking with Kate Stewart (Linux Foundation, SPDX) this afternoon. We were discussing what to call the ‘target’ or ‘object’ of an SBOM.  In other words, what is the ‘thing’ an SBOM describes. We think the ‘thing’ is broad, where it may span the following:

 

  • File diff
  • File
  • Commit, File Archive, Package, Container (all of which span multiple files)
  • File System, Cloud Service (all of which span multiple packages, containers, etc.)

 

Kate mentioned that in SPDX today the ‘thing’ is an ‘element’. (Not a ‘package’ – Philippe-Emmanuel, we may have been mapping to the wrong SPDX element).

 

I propose that for the SBOM we call the ‘thing’ an ‘artifact’. This has the following implications:

 

  1. SPDX 3.0 would need to rename the ‘element’ field to ‘artifact’.
  2. Philippe-Emmanuel would need to update the SBOM model to center around the term ‘artifact’.

 

Does this work? Thoughts?

 

Kay