Skip to content

Commit

Permalink
Merge pull request #104 from spdx/enrich
Browse files Browse the repository at this point in the history
Create an example for enriching SPDX V2.3 documents
  • Loading branch information
goneall authored Jan 8, 2025
2 parents 6f8f8bf + 83d438b commit 6a5d3a0
Show file tree
Hide file tree
Showing 5 changed files with 481 additions and 0 deletions.
1 change: 1 addition & 0 deletions .github/workflows/pull_request.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ jobs:
run: |
find . \( -name '*.spdx' -o -name '*.json' \) \
-not -path './presentations/*' \
-not -path '*/content/*' \
-not -path './tools-java/*' \
-not -path '*/spdx2.2/*' \
-not -path '*/spdx2.3/*' \
Expand Down
1 change: 1 addition & 0 deletions software/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,3 +37,4 @@ Each directory contains build metadata which is used to create the build artifac
| 11 | 1 Rust file | compiled with Cargo | 1 document | SBOM describing both source and artifact, related with GENERATED_FROM |
| 12 | 1 Ruby library | built using `bundle` | 1 document | SBOM describing Ruby library packaged in a gem |
| 13 | Bundled app with a package and container | No compiling - hypothetical example | Documents in progress | SBOM describing a hypothetical "Acme Aplication" |
| 14 | SPDX file from example 8 | N/A | 1 document | SPDX file is enriched using a tool such as [Parlay](https://github.com/snyk/parlay) - includes relationship to original SPDX document |
50 changes: 50 additions & 0 deletions software/example14/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,50 @@
# Example 1

## Description

An [existing (original) SPDX document](content/examplemaven-0.0.1.spdx.json) is enriched to include additional metadata from an application such as [Parlay](https://github.com/snyk/parlay) producing the [enriched SPDX document](spdx2.3/examplemaven-0.0.1-enriched.spdx.json). Any process or tool that modifies an existing SPDX document should include the additional metadata referenced in comments below.

## Comments

In addition to any modifications made to the original SPDX document, the following changes are made to the resultant enriched SPDX document:
- Create a new `documentNamespace` - this is required since the enriched document does not contain exactly the same SPDX metadata
- Update the `created` timestamp to the time this document was generated
- Add a tool to the creators for the enrichment tool
- Create an `AMENDS` relationship from the enriched document to the original document
- Add an `externalDocumentRef` for the original document - this is necessary to create the relationship and provides a checksum for verifying the integrity of the original document


Below is a diff for the above-mentioned changes:

```
6c6
< "documentNamespace": "http://spdx.org/documents/examplemaven-0.0.1",
---
> "documentNamespace": "http://spdx.org/documents/examplemaven-0.0.1/enriched",
11c11,12
< "Tool: spdx-maven-plugin"
---
> "Tool: spdx-maven-plugin",
> "Tool: Parlay"
13c14
< "created": "2022-10-23T15:44:16Z"
---
> "created": "2024-11-18T10:22:12Z"
14a16,23
> "externalDocumentRefs" : [ {
> "externalDocumentId" : "DocumentRef-original",
> "checksum" : {
> "algorithm" : "SHA1",
> "checksumValue" : "3f9deeef2efdbb0eb4b15ec216f5c4e3af2d13e2"
> },
> "spdxDocument" : "http://spdx.org/documents/examplemaven-0.0.1"
> } ],
153a163,168
> {
> "spdxElementId": "SPDXRef-DOCUMENT",
> "relatedSpdxElement": "DocumentRef-original:SPDXRef-DOCUMENT",
> "relationshipType": "AMENDS",
> "comment": "The original document and been enriched by the Parlay application"
> },
```
204 changes: 204 additions & 0 deletions software/example14/content/examplemaven-0.0.1.spdx.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,204 @@
{
"SPDXID": "SPDXRef-DOCUMENT",
"spdxVersion": "SPDX-2.3",
"creationInfo": {
"created": "2022-10-23T15:44:16Z",
"creators": [
"Person: Gary O'Neall",
"Tool: spdx-maven-plugin"
],
"licenseListVersion": "3.18"
},
"name": "examplemaven",
"dataLicense": "CC0-1.0",
"documentDescribes": [
"SPDXRef-example"
],
"documentNamespace": "http://spdx.org/documents/examplemaven-0.0.1",
"packages": [
{
"SPDXID": "SPDXRef-junit",
"copyrightText": "UNSPECIFIED",
"description": "JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"homepage": "http://junit.org",
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "CPL-1.0",
"name": "JUnit",
"originator": "Organization: JUnit",
"summary": "JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.",
"versionInfo": "3.8.1"
},
{
"SPDXID": "SPDXRef-log4jslf4jbinding",
"copyrightText": "UNSPECIFIED",
"description": "The Apache Log4j SLF4J API binding to Log4j 2 Core",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"name": "Apache Log4j SLF4J Binding",
"summary": "The Apache Log4j SLF4J API binding to Log4j 2 Core"
},
{
"SPDXID": "SPDXRef-log4jslf4jApi",
"copyrightText": "UNSPECIFIED",
"description": "The slf4j API",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"homepage": "http://www.slf4j.org",
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"name": "SLF4J API Module",
"summary": "The slf4j API"
},
{
"SPDXID": "SPDXRef-log4jApi",
"copyrightText": "UNSPECIFIED",
"description": "The Apache Log4j API",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"name": "Apache Log4j API",
"summary": "The Apache Log4j API"
},
{
"SPDXID": "SPDXRef-log4jImpl",
"copyrightText": "UNSPECIFIED",
"description": "The Apache Log4j Implementation",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": false,
"licenseConcluded": "NOASSERTION",
"licenseDeclared": "NOASSERTION",
"name": "Apache Log4j Core",
"summary": "The Apache Log4j Implementation"
},
{
"SPDXID": "SPDXRef-example",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "b8a7e6c75001e6d78625cfc9a3103bf121abf8b4"
}
],
"copyrightText": "Copyright (c) 2022 Source Auditor Inc.",
"description": "This is a simple example Maven project created using the Maven quickstart archetype with one dependency added.",
"downloadLocation": "NOASSERTION",
"filesAnalyzed": true,
"homepage": "https://github.com/spdx/spdx-examples",
"licenseConcluded": "Apache-2.0",
"licenseDeclared": "Apache-2.0",
"licenseInfoFromFiles": [
"Apache-2.0"
],
"name": "examplemaven",
"originator": "Organization: Linux Foundation",
"packageFileName": "examplemaven-0.0.1.jar",
"packageVerificationCode": {
"packageVerificationCodeValue": "c12417def36d7804096521de4280721e5863e68b"
},
"primaryPackagePurpose": "LIBRARY",
"hasFiles": [
"SPDXRef-appsource",
"SPDXRef-apptest"
],
"summary": "This is a simple example Maven project created using the Maven quickstart archetype with one dependency added.",
"supplier": "Organization: SPDX",
"versionInfo": "0.0.1"
}
],
"files": [
{
"SPDXID": "SPDXRef-appsource",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "a6f47dbc7e4615058490055172fe0065c55f8fc5"
}
],
"copyrightText": "Copyright (c) 2020 Source Auditor Inc.",
"fileContributors": [
"Gary O'Neall"
],
"fileName": "./src/main/java/org/spdx/examplemaven/App.java",
"fileTypes": [
"SOURCE"
],
"licenseComments": "This file contains SPDX-License-Identifiers for Apache-2.0",
"licenseConcluded": "Apache-2.0",
"licenseInfoInFiles": [
"Apache-2.0"
],
"noticeText": "SPDX-License-Identifier: Apache-2.0\nCopyright (c) 2022 Source Auditor Inc."
},
{
"SPDXID": "SPDXRef-apptest",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "4b4df52d36588c8e9482d56eebc42336447f3dad"
}
],
"copyrightText": "Copyright (c) 2020 Source Auditor Inc.",
"fileContributors": [
"Gary O'Neall"
],
"fileName": "./src/test/java/org/spdx/examplemaven/AppTest.java",
"fileTypes": [
"SOURCE"
],
"licenseComments": "This file contains SPDX-License-Identifiers for Apache-2.0",
"licenseConcluded": "Apache-2.0",
"licenseInfoInFiles": [
"Apache-2.0"
],
"noticeText": "SPDX-License-Identifier: Apache-2.0\nCopyright (c) 2022 Source Auditor Inc."
}
],
"relationships": [
{
"spdxElementId": "SPDXRef-junit",
"relationshipType": "TEST_DEPENDENCY_OF",
"relatedSpdxElement": "SPDXRef-example",
"comment": "Relationship created based on Maven POM information"
},
{
"spdxElementId": "SPDXRef-example",
"relationshipType": "DYNAMIC_LINK",
"relatedSpdxElement": "SPDXRef-log4jslf4jbinding",
"comment": "Relationship based on Maven POM file dependency information"
},
{
"spdxElementId": "SPDXRef-example",
"relationshipType": "DYNAMIC_LINK",
"relatedSpdxElement": "SPDXRef-log4jslf4jApi",
"comment": "Relationship based on Maven POM file dependency information"
},
{
"spdxElementId": "SPDXRef-example",
"relationshipType": "DYNAMIC_LINK",
"relatedSpdxElement": "SPDXRef-log4jApi",
"comment": "Relationship based on Maven POM file dependency information"
},
{
"spdxElementId": "SPDXRef-example",
"relationshipType": "DYNAMIC_LINK",
"relatedSpdxElement": "SPDXRef-log4jImpl",
"comment": "Relationship based on Maven POM file dependency information"
},
{
"spdxElementId": "SPDXRef-appsource",
"relationshipType": "GENERATES",
"relatedSpdxElement": "SPDXRef-example",
"comment": ""
},
{
"spdxElementId": "SPDXRef-apptest",
"relationshipType": "TEST_CASE_OF",
"relatedSpdxElement": "SPDXRef-example",
"comment": ""
}
]
}
Loading

0 comments on commit 6a5d3a0

Please sign in to comment.