[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [EXT] Artifact, or Element, or Package

Hello everyone

As you can guess from my first model, I'm also in favor of Artifact.
About the multiplicity of files, the model is quite clear with a [1..*] cardinality between the Artifact class and the File class.
To help, we could make sure that every illustrations of the different usage scenarii are multi-file situations.

For your information, I posted updated versions of the documents (docx, pdf, xmi) and illustrations in the SBOM google drive; they contain:
* Artifact terminology 
* optional association between the Document class and the LicenseInfo


From: Ido Green [idog@jfrog.com]
Sent: Tuesday, October 22, 2019 6:21 PM
To: Dan Lorenc
Cc: Kay Williams; Martin, Robert A.; sbom@omg.org
Subject: Re: [EXT] Artifact, or Element, or Package

+1 for artifact 
But I wonder how can we make it clear that it could contain multiple files.

On Tue, Oct 22, 2019 at 09:10 Dan Lorenc <dlorenc@google.com> wrote:
I like artifact as well. I acknowledge that it has the implication of only a single entity, but I think it's still our best option. We should make it clear that a "logical artifact" can refer to multiple files.

Dan Lorenc

On Mon, Oct 21, 2019 at 6:31 PM Martin, Robert A. <ramartin@mitre.org> wrote:
In OMG artifact is the favored term for this.  

I support artifact.


From: Kay Williams <kayw@microsoft.com>
Sent: Monday, October 21, 2019 6:59:43 PM
To: sbom@omg.org <sbom@omg.org>
Subject: [EXT] Artifact, or Element, or Package

Hi all,


Here is another nomenclature question for our group.  I was talking with Kate Stewart (Linux Foundation, SPDX) this afternoon. We were discussing what to call the ‘target’ or ‘object’ of an SBOM.  In other words, what is the ‘thing’ an SBOM describes. We think the ‘thing’ is broad, where it may span the following:


  • File diff
  • File
  • Commit, File Archive, Package, Container (all of which span multiple files)
  • File System, Cloud Service (all of which span multiple packages, containers, etc.)


Kate mentioned that in SPDX today the ‘thing’ is an ‘element’. (Not a ‘package’ – Philippe-Emmanuel, we may have been mapping to the wrong SPDX element).


I propose that for the SBOM we call the ‘thing’ an ‘artifact’. This has the following implications:


  1. SPDX 3.0 would need to rename the ‘element’ field to ‘artifact’.
  2. Philippe-Emmanuel would need to update the SBOM model to center around the term ‘artifact’.


Does this work? Thoughts?