[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Model suggestions for the IP / licensing section

Hi Steve,


I just realized I didn’t answer your second question:



Are SPDX license expressions something that can be validated with XML schema and/or JSON schema?


[G.O.] no, as far as I can tell – this is the disadvantage of this approach.  To fully validate the _expression_, you would need to include the full rather complex model.  We have some SPDX tools that have implementations of license _expression_ validation in Java, Python, Golang.  _javascript_/Node is on its way.


If anyone is interested in these tools implementation let me know and I’ll give you more info.



On Dec 12, 2019, 1:32 PM -0600, Gary O'Neall <gary@sourceauditor.com>, wrote:

Hi Philippe,


Following up on the model discussion yesterday, I can provide you some UML in XMI format.  Let me know if you would prefer an email, attachment to a github issue or pull request.  If you could also point me to the repo that contains your XMI files, I’ll start with those. 


Also, FYI, the XMI for SPDX 2.2 is at https://github.com/spdx/spdx-spec/blob/development/v2.2/model/spdx-model.xmi


Since yesterday, I have been thinking about simplifying the SBOM model.  For the licensing, we could include license expressions rather than the full model of licenses.


The full license model is rather complex.  It does, however, allow for much stronger validation and the ability to query the graph of license information to answer important questions for some of the use cases.  Most users, however, will only want to express the license for a given material/artifact and the complex license will likely just get in the way.


The license _expression_ is reasonably well defined in BNF in the SPDX spec Appendix IV.  For many of the serialization formats (e.g. XML, JSON, YAML) we are storing the license information as expressions in SPDX.  Only RDF/XML uses the full graph.


My recommendation is to use the simpler license expressions. 


Philippe and the rest of the SBOM community, please let me know if you disagree.





Gary O'Neall

Principal Consultant

Source Auditor Inc.

Mobile: 408.805.0586

Email: gary@sourceauditor.com

CONFIDENTIALITY NOTE: The information transmitted, including attachments, is intended only for the person(s) or entity to which it is addressed and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of, or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and destroy any copies of this information.