SBOM
SBOM copied to clipboard
CERTCC
Can SPDX be update to 2.3?
Some of the NOASSERTION fields need no longer need to be included.
https://spdx.github.io/spdx-spec/v2.3/
Hello @kestewart
Can you send an example, it will be easier to work off of it. I was trying to read through the docs, there are quite a few updates, finding it hard to compare myself. If in fact, you can get the enclosed example
SPDX-ACME-INFUSION-1-0-SBOM-DRAFT-30-8-2022-13-23-spdx.txt
upconverted to v 2.3, it will make it easy to work from.
Thanks Vijay
Hi @sei-vsarvepalli, here's a modified version of this file which I believe should be a valid SPDX 2.3 file:
SPDX-ACME-INFUSION-1-0-SBOM-DRAFT-30-8-2022-13-23-spdx-revised-for-2.3.txt
For ease of tracking, the changes I've made here for 2.1 to 2.3 are:
- changing the SPDXVersion from SPDX-2.1 to SPDX-2.3
- removing the
PackageLicenseConcluded,PackageLicenseDeclaredandPackageCopyrightTextfields
Additionally, please note that the file you shared originally does not appear to be a fully valid SPDX 2.1 document, for a few reasons:
- it uses
purlexternal references, which were not defined until SPDX 2.2 - there are some issues with the Packages with
FilesAnalyzed: true:- some don't list subsequent File information sections
- those that do, don't include some of the required File information section fields (such as separate SPDX IDs for those Files)
- and, other Package information required for Packages with
FilesAnalyzed: trueis missing -- the Package Verification Code is not present
Because of this, in the attached example I am changing all FilesAnalyzed fields to false and removing the FileName / FileChecksum fields. I can provide more details about this if you have questions.
Below is the diff between the two files:
2c2
< SPDXVersion: SPDX-2.1
---
> SPDXVersion: SPDX-2.3
21,24c21
< FilesAnalyzed: true
< PackageLicenseConcluded: NOASSERTION
< PackageLicenseDeclared: NOASSERTION
< PackageCopyrightText: NOASSERTION
---
> FilesAnalyzed: false
38,41c35
< FilesAnalyzed: true
< PackageLicenseConcluded: NOASSERTION
< PackageLicenseDeclared: NOASSERTION
< PackageCopyrightText: NOASSERTION
---
> FilesAnalyzed: false
55,58c49
< FilesAnalyzed: true
< PackageLicenseConcluded: NOASSERTION
< PackageLicenseDeclared: NOASSERTION
< PackageCopyrightText: NOASSERTION
---
> FilesAnalyzed: false
72,77c63
< FilesAnalyzed: true
< PackageLicenseConcluded: NOASSERTION
< PackageLicenseDeclared: NOASSERTION
< PackageCopyrightText: NOASSERTION
< FileName: SQL-2005-Express.msi
< FileChecksum: SHA256: 8dc52671c9828e3c480de384488298f58b4b21df3fe975175ec6a3ab90a0988c
---
> FilesAnalyzed: false
89,92c75
< FilesAnalyzed: true
< PackageLicenseConcluded: NOASSERTION
< PackageLicenseDeclared: NOASSERTION
< PackageCopyrightText: NOASSERTION
---
> FilesAnalyzed: false
106,109c89
< FilesAnalyzed: true
< PackageLicenseConcluded: NOASSERTION
< PackageLicenseDeclared: NOASSERTION
< PackageCopyrightText: NOASSERTION
---
> FilesAnalyzed: false
123,126c103
< FilesAnalyzed: true
< PackageLicenseConcluded: NOASSERTION
< PackageLicenseDeclared: NOASSERTION
< PackageCopyrightText: NOASSERTION
---
> FilesAnalyzed: false
140,145c117
< FilesAnalyzed: true
< PackageLicenseConcluded: NOASSERTION
< PackageLicenseDeclared: NOASSERTION
< PackageCopyrightText: NOASSERTION
< FileName: spring-instrument.jar
< FileChecksum: SHA256: ea8436f23b06d4649626f6a87a65e0128d6fe674d9a180d800737555adbae829
---
> FilesAnalyzed: false
Hello @swinslow
Very helpful. I believe the work done for Medical Proof of Concept had a desire to represent examples where a package was analyzed and some signature could provide assertion for such a claim - specifically that there was a validation of a SHA256 signature of a file that was a component of a full SBOM. That was the reason to introduce the FilesAnalyzed. Can you provide an example where a valid FilesAnalyzed: true can be fully demonstrated.
Thanks again for your help. Vijay