Thanks Gary, Philippe-Emmanuel,
I have a question for you both, and for us all. Is there something more we should be doing to have the tools and systems in place to collaborate effectively. How do we want this to work? Is there anything I can do to help?
Kay
From: Gary O'Neall
Sent: Thursday, January 9, 2020 9:58 AM
To: 'Philippe-Emmanuel Douziech' Subject: RE: Analysis of SPDX compatibility with current SBOM proposal Thanks Philippe – having these organized in a table really helps.
BTW – the generated 3T-SBOM-EMS file on the Google Drive looks like it may be an old version. The modification history in Google Docs doesn’t show any change, but a number of the issues I have identified seem to have been resolved, but the document now appears inconsistent with some of the diagrams (e.g. https://drive.google.com/drive/u/1/folders/1q9v4y6MJBagQn42DMIqwSKU6lerrKWCj). I’m working from the word doc downloaded from the Git repository: https://github.com/cdfoundation/sig-security-sbom/blob/master/modeling/generated_3T-SBOM-EMS.docx
BTW – from a quick glance, the version that is on Google docs does not have many of the issues identified in my analysis.
I’ll go through my old analysis and move them over to the sheet or add issues to the git repo.
Gary
From: Philippe-Emmanuel Douziech
Hello
As discussed yesterday, I produced tables to track change propositions (and justifications)
Best regards
Philippe-Emmanuel
From: Philippe-Emmanuel Douziech
Hello and a happy successful 2020 to all! On my side, I worked on a JSON schema: https://drive.google.com/open?id=1vjnh8FD3GXTqXQ7eK-hD1WfQgm6Y0lPD / https://github.com/cdfoundation/sig-security-sbom/blob/master/modeling/generated_3T-SBOM-EMS.schema.json (for which I also had to change type attributes to specialized xxxType). Then, @William Cox, I saw a copy of the generated DOCX in the Google Drive ( https://drive.google.com/open?id=1N-QwH9zN-hX4N3NmtHjzG3k4dP25jTiN ) but I didn’t see the updates. Could you tell me the differences? Thank you Philippe-Emmanuel
Greetings all,
I completed a line by line comparison of the SPDX 2.2 UML model with the current SBOM model. A draft of the results of the analysis are here: https://docs.google.com/document/d/1s4TQN6DgfF6rup_5aQbySQpVrdaaK24ngnRmwqsmmXs/edit?usp=sharing
Feel free to review and comment.
I realize the document may not be very clear in places – it was taking me a lot more time than I had budgeted for the exercise and I thought it would be better to just get out something of a draft rather than waiting until it was more polished.
I found a number of incompatibilities; many were minor differences in the choice of attribute names and a few of there were more structural.
I summarized proposals for both changes to the SBOM model and the SPDX model at the beginning of the document. All proposals are related to making the 2 models compatible in SPDX 3.0. There are 31 proposed changes to the SBOM and 13 proposed changes to SPDX. Since it is easier to change an unpublished standard than to create incompatibilities in existing documents and tools, I leaned more toward changes in the SBOM than changes in SPDX. Please note that these proposals are my own and do not reflect the opinions of the SPDX community as a whole. It is likely that these changes will require quite a bit of discussion within the SPDX community and may results in changes or counter-proposals.
There are a couple of categories of changes I would like to highlight:
Best regards, Gary
------------------------------------------------- Gary O'Neall Principal Consultant Source Auditor Inc. Mobile: 408.805.0586
|