Address gaps in documentation of VEX implementation in SPDX 3.0

[VenkatTechnologist]

While going through SPDX 3.0 model VEX implementation, Venkat observed that there were gaps in documentation of the implementation. Specifically, the following were observed:

1. There is no documentation for the how VEX objects are implemented in SPDX and its structure
2. There is no mapping of VEX objects to the SPDX. The team felt that it would be better to have a mapping
3. There are no examples of various scenarios of how the VEX would be implemented in SPDX format

In the SPDX security meeting that happened on March 20th, 2024, which @goneall , @kestewart , Jeff Schutt, and @VenkatTechnologist attended, it was decided to have a document in the Annexure directory for the mapping and the examples.

In another email thread between Venkat, @goneall, @puerco , @kestewart, and Jeff Schutt, Venkat pointed out that there is no formal documentation for how VEX objects are implemented in SPDX and its structure. This email was also forwarded to @rnjudge by Venkat.

This issue is to track and resolve these gaps.

[goneall]

We can add the mapping as a markdown file to the annexes directory in the spdx-spec v3 branch.

[VenkatTechnologist]

I've made a few changes in the document that we are preparing for the mapping to reflect that there is currently no SPDX field for VEX doc version.

@puerco, can you please review the comments and the updated contents and respond back? Thanks.

[rnjudge]

@VenkatTechnologist where is the document?

[VenkatTechnologist]

It's currently getting prepared in my Google drive with edit access to Gary, Jeff, and @puerco. If you would like, I can add you too, Rose.

http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail Virus-free.www.avg.com http://www.avg.com/email-signature?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=webmail <#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>

On Sat, Apr 13, 2024 at 12:36 AM Rose Judge @.***> wrote:

@VenkatTechnologist https://github.com/VenkatTechnologist where is the document?

— Reply to this email directly, view it on GitHub https://github.com/spdx/spdx-spec/issues/948, or unsubscribe https://github.com/notifications/unsubscribe-auth/BFJ5PILDSIHYWQNMQVGQS73Y5AWBVAVCNFSM6AAAAABFPGVOVKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANJSGM2TQMRXGY . You are receiving this because you were mentioned.Message ID: @.***>

[rnjudge]

It's currently getting prepared in my Google drive with edit access to Gary, Jeff, and @puerco. If you would like, I can add you too, Rose.

Please add me :) I have been on maternity leave but before that heavily involved in the security profile. Thank you!

[VenkatTechnologist]

Sure, and welcome back! Please let me know the email id. that can be used to add you. Thanks.

[rnjudge]

@VenkatTechnologist [email protected] please, thank you!

[VenkatTechnologist]

There seems to be no formal VEX spec. specifying the structure of VEX implementation in SPDX. I propose that we add that as part of this document and call this document as 'VEX support in SPDX' (or on similar lines).

[goneall]

Transferring this issue to the spec repo since we are fixing this in an Annex

[kestewart]

Annex about VEX has moved to https://github.com/spdx/using. Please review content there, and if still concern open issue there.