[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [EXT] Analysis of SPDX compatibility with current SBOM proposal
- To: "Gary O'Neall" <Subject: Re: [EXT] Analysis of SPDX compatibility with current SBOM proposal
- From: "Martin, Robert A." <Date: Sun, 5 Jan 2020 12:22:07 -0500
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mitre.org; h=subject:to:references:from:message-id:date:mime-version:in-reply-to:content-type:content-transfer-encoding; s=selector1; bh=/+GO4jzlYLVN0OSv8XyfZUCT8sSlVXVxe1TeqyyXadE=; b=aqqGbaRdlVkDTKLaBDWcXmPWbUcS1pvo/TykAq352Lpw8HIP5osnHiUi7UKJ50YMHbcFWe3g8fftEDwWLHqCXqJXrmk31GKETI7eDJ1if1XwAHdpxPoku3L2TxfifzzD+rB//PflYy1S8ICmCICL3jRp2nZ6mLDUrg36RIUZnzQ=
- Organization: MITRE
- User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Thunderbird/68.3.0
Thanks for doing this analysis - a lot to consider.
Robert (Bob) Martin
Sr. Secure SW & Technology Principal Eng.
Trust & Assurance Cyber Technologies Dept
Cyber Solutions Technical Center
On 1/3/20 7:52 PM, Gary O'Neall wrote:
I completed a line by line comparison of the SPDX 2.2 UML model with the
current SBOM model. A draft of the results of the analysis are here:
Feel free to review and comment.
I realize the document may not be very clear in places – it was taking
me a lot more time than I had budgeted for the exercise and I thought it
would be better to just get out something of a draft rather than waiting
until it was more polished.
I found a number of incompatibilities; many were minor differences in
the choice of attribute names and a few of there were more structural.
I summarized proposals for both changes to the SBOM model and the SPDX
model at the beginning of the document. All proposals are related to
making the 2 models compatible in SPDX 3.0. There are 31 proposed
changes to the SBOM and 13 proposed changes to SPDX. Since it is easier
to change an unpublished standard than to create incompatibilities in
existing documents and tools, I leaned more toward changes in the SBOM
than changes in SPDX. Please note that these proposals are my own and
do not reflect the opinions of the SPDX community as a whole. It is
likely that these changes will require quite a bit of discussion within
the SPDX community and may results in changes or counter-proposals.
There are a couple of categories of changes I would like to highlight:
* Attribute names in SPDX tend to be unique so that they can be
compatible with W3C/RDF existing and proposed vocabularies. For
example, using fileType rather than type within a File Content class
allows the attribute to be easily associated with other uses of the
term fileType even outside of SPDX. This was a strong consideration
during the SPDX development.
* The external document reference structure is different and I believe
structurally incompatible. I’m not sure I fully understand how the
SBOM proposed approach will work with concrete documents. This is
something that should probably be discussed on a call.
Source Auditor Inc.
Email: <CONFIDENTIALITY NOTE: The information transmitted, including
attachments, is intended only for the person(s) or entity to which it is
addressed and may contain confidential and/or privileged material. Any
review, re-transmission, dissemination or other use of, or taking of any
action in reliance upon this information by persons or entities other
than the intended recipient is prohibited. If you received this in
error, please contact the sender and destroy any copies of this information.