[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Artifact, or Element, or Package

Artifact would imply a single thing is what the BOM describes. Enterprise software is typically a collection of things packaged together and given a marketing name/version.

CycloneDX simply refers to it as a BOM Descriptor with a single ‘metadata’ node describing the contents.

On Oct 21, 2019, 6:08 PM -0500, William Bartholomew <iamwillbar@github.com>, wrote:
What about calling it Manifest? That is in-line with the Bill of Materials nomenclature and I would see the manifest as describing an artifact.

Sent from my iPhone

On Oct 21, 2019, at 4:02 PM, Santiago Torres Arias <santiago@nyu.edu> wrote:

This is part of the reason we in in-toto started using the term
"artifact", as it is not a computer-science overloaded term (like
package, thing or element).

As I understand it, a package is a type of SPDX element, but not


On Mon, Oct 21, 2019 at 10:59:43PM +0000, Kay Williams wrote:
Hi all,

Here is another nomenclature question for our group. I was talking with Kate Stewart (Linux Foundation, SPDX) this afternoon. We were discussing what to call the 'target' or 'object' of an SBOM. In other words, what is the 'thing' an SBOM describes. We think the 'thing' is broad, where it may span the following:

* File diff
* File
* Commit, File Archive, Package, Container (all of which span multiple files)
* File System, Cloud Service (all of which span multiple packages, containers, etc.)

Kate mentioned that in SPDX today the 'thing' is an 'element'. (Not a 'package' - Philippe-Emmanuel, we may have been mapping to the wrong SPDX element).

I propose that for the SBOM we call the 'thing' an 'artifact'. This has the following implications:

1. SPDX 3.0 would need to rename the 'element' field to 'artifact'.
2. Philippe-Emmanuel would need to update the SBOM model to center around the term 'artifact'.

Does this work? Thoughts?