From 1a3cb5f1952278451c8ebf65d2f24ff2d63ff2d8 Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Wed, 6 Nov 2024 12:18:42 -0800 Subject: [PATCH 1/2] Create an example for enriching SPDX V2.3 documents --- software/README.md | 1 + software/example14/README.md | 50 ++++ .../content/examplemaven-0.0.1.spdx.json | 204 ++++++++++++++++ .../examplemaven-0.0.1-enriched.spdx.json | 225 ++++++++++++++++++ 4 files changed, 480 insertions(+) create mode 100644 software/example14/README.md create mode 100644 software/example14/content/examplemaven-0.0.1.spdx.json create mode 100644 software/example14/spdx2.3/examplemaven-0.0.1-enriched.spdx.json diff --git a/software/README.md b/software/README.md index 2c699e2..981d68b 100644 --- a/software/README.md +++ b/software/README.md @@ -37,3 +37,4 @@ Each directory contains build metadata which is used to create the build artifac | 11 | 1 Rust file | compiled with Cargo | 1 document | SBOM describing both source and artifact, related with GENERATED_FROM | | 12 | 1 Ruby library | built using `bundle` | 1 document | SBOM describing Ruby library packaged in a gem | | 13 | Bundled app with a package and container | No compiling - hypothetical example | Documents in progress | SBOM describing a hypothetical "Acme Aplication" | +| 14 | SPDX file from example 8 | N/A | 1 document | SPDX file is enriched using a tool such as [Parlay](https://github.com/snyk/parlay) - includes relationship to original SPDX document | diff --git a/software/example14/README.md b/software/example14/README.md new file mode 100644 index 0000000..8c0a61c --- /dev/null +++ b/software/example14/README.md @@ -0,0 +1,50 @@ +# Example 1 + +## Description + +An [existing (original) SPDX document](content/examplemaven-0.0.1.spdx.json) is enriched to include additional metadata from an application such as [Parlay](https://github.com/snyk/parlay) producing the [enriched SPDX document](spdx2.3/examplemaven-0.0.1-enriched.spdx.json). Any process or tool that modifies an existing SPDX document should include the additional metadata referenced in comments below. + +## Comments + +In addition to any modifications made to the original SPDX document, the following changes are made to the resultant enriched SPDX document: +- Create a new `documentNamespace` - this is required since the enriched document does not contain exactly the same SPDX metadata +- Update the `created` timestamp to the time this document was generated +- Add a tool to the creators for the enrichment tool +- Create an `AMENDS` relationship from the enriched document to the original document +- Add an `externalDocumentRef` for the original document - this is necessary to create the relationship and provides a checksum for verifying the integrity of the original document + + +Below is a diff for the above-mentioned changes: + +``` +6c6 +< "documentNamespace": "http://spdx.org/documents/examplemaven-0.0.1", +--- +> "documentNamespace": "http://spdx.org/documents/examplemaven-0.0.1/enriched", +11c11,12 +< "Tool: spdx-maven-plugin" +--- +> "Tool: spdx-maven-plugin", +> "Tool: Parlay" +13c14 +< "created": "2022-10-23T15:44:16Z" +--- +> "created": "2024-11-18T10:22:12Z" +14a16,23 +> "externalDocumentRefs" : [ { +> "externalDocumentId" : "DocumentRef-original", +> "checksum" : { +> "algorithm" : "SHA1", +> "checksumValue" : "3f9deeef2efdbb0eb4b15ec216f5c4e3af2d13e2" +> }, +> "spdxDocument" : "http://spdx.org/documents/examplemaven-0.0.1" +> } ], +153a163,168 +> { +> "spdxElementId": "SPDXRef-DOCUMENT", +> "relatedSpdxElement": "DocumentRef-original:SPDXRef-DOCUMENT", +> "relationshipType": "AMENDS", +> "comment": "The original document and been enriched by the Parlay application" +> }, + +``` \ No newline at end of file diff --git a/software/example14/content/examplemaven-0.0.1.spdx.json b/software/example14/content/examplemaven-0.0.1.spdx.json new file mode 100644 index 0000000..5e2b290 --- /dev/null +++ b/software/example14/content/examplemaven-0.0.1.spdx.json @@ -0,0 +1,204 @@ +{ + "SPDXID": "SPDXRef-DOCUMENT", + "spdxVersion": "SPDX-2.3", + "creationInfo": { + "created": "2022-10-23T15:44:16Z", + "creators": [ + "Person: Gary O'Neall", + "Tool: spdx-maven-plugin" + ], + "licenseListVersion": "3.18" + }, + "name": "examplemaven", + "dataLicense": "CC0-1.0", + "documentDescribes": [ + "SPDXRef-example" + ], + "documentNamespace": "http://spdx.org/documents/examplemaven-0.0.1", + "packages": [ + { + "SPDXID": "SPDXRef-junit", + "copyrightText": "UNSPECIFIED", + "description": "JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "homepage": "http://junit.org", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "CPL-1.0", + "name": "JUnit", + "originator": "Organization: JUnit", + "summary": "JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.", + "versionInfo": "3.8.1" + }, + { + "SPDXID": "SPDXRef-log4jslf4jbinding", + "copyrightText": "UNSPECIFIED", + "description": "The Apache Log4j SLF4J API binding to Log4j 2 Core", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "name": "Apache Log4j SLF4J Binding", + "summary": "The Apache Log4j SLF4J API binding to Log4j 2 Core" + }, + { + "SPDXID": "SPDXRef-log4jslf4jApi", + "copyrightText": "UNSPECIFIED", + "description": "The slf4j API", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "homepage": "http://www.slf4j.org", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "name": "SLF4J API Module", + "summary": "The slf4j API" + }, + { + "SPDXID": "SPDXRef-log4jApi", + "copyrightText": "UNSPECIFIED", + "description": "The Apache Log4j API", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "name": "Apache Log4j API", + "summary": "The Apache Log4j API" + }, + { + "SPDXID": "SPDXRef-log4jImpl", + "copyrightText": "UNSPECIFIED", + "description": "The Apache Log4j Implementation", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "name": "Apache Log4j Core", + "summary": "The Apache Log4j Implementation" + }, + { + "SPDXID": "SPDXRef-example", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "b8a7e6c75001e6d78625cfc9a3103bf121abf8b4" + } + ], + "copyrightText": "Copyright (c) 2022 Source Auditor Inc.", + "description": "This is a simple example Maven project created using the Maven quickstart archetype with one dependency added.", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": true, + "homepage": "https://github.com/spdx/spdx-examples", + "licenseConcluded": "Apache-2.0", + "licenseDeclared": "Apache-2.0", + "licenseInfoFromFiles": [ + "Apache-2.0" + ], + "name": "examplemaven", + "originator": "Organization: Linux Foundation", + "packageFileName": "examplemaven-0.0.1.jar", + "packageVerificationCode": { + "packageVerificationCodeValue": "c12417def36d7804096521de4280721e5863e68b" + }, + "primaryPackagePurpose": "LIBRARY", + "hasFiles": [ + "SPDXRef-appsource", + "SPDXRef-apptest" + ], + "summary": "This is a simple example Maven project created using the Maven quickstart archetype with one dependency added.", + "supplier": "Organization: SPDX", + "versionInfo": "0.0.1" + } + ], + "files": [ + { + "SPDXID": "SPDXRef-appsource", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "a6f47dbc7e4615058490055172fe0065c55f8fc5" + } + ], + "copyrightText": "Copyright (c) 2020 Source Auditor Inc.", + "fileContributors": [ + "Gary O'Neall" + ], + "fileName": "./src/main/java/org/spdx/examplemaven/App.java", + "fileTypes": [ + "SOURCE" + ], + "licenseComments": "This file contains SPDX-License-Identifiers for Apache-2.0", + "licenseConcluded": "Apache-2.0", + "licenseInfoInFiles": [ + "Apache-2.0" + ], + "noticeText": "SPDX-License-Identifier: Apache-2.0\nCopyright (c) 2022 Source Auditor Inc." + }, + { + "SPDXID": "SPDXRef-apptest", + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "4b4df52d36588c8e9482d56eebc42336447f3dad" + } + ], + "copyrightText": "Copyright (c) 2020 Source Auditor Inc.", + "fileContributors": [ + "Gary O'Neall" + ], + "fileName": "./src/test/java/org/spdx/examplemaven/AppTest.java", + "fileTypes": [ + "SOURCE" + ], + "licenseComments": "This file contains SPDX-License-Identifiers for Apache-2.0", + "licenseConcluded": "Apache-2.0", + "licenseInfoInFiles": [ + "Apache-2.0" + ], + "noticeText": "SPDX-License-Identifier: Apache-2.0\nCopyright (c) 2022 Source Auditor Inc." + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-junit", + "relationshipType": "TEST_DEPENDENCY_OF", + "relatedSpdxElement": "SPDXRef-example", + "comment": "Relationship created based on Maven POM information" + }, + { + "spdxElementId": "SPDXRef-example", + "relationshipType": "DYNAMIC_LINK", + "relatedSpdxElement": "SPDXRef-log4jslf4jbinding", + "comment": "Relationship based on Maven POM file dependency information" + }, + { + "spdxElementId": "SPDXRef-example", + "relationshipType": "DYNAMIC_LINK", + "relatedSpdxElement": "SPDXRef-log4jslf4jApi", + "comment": "Relationship based on Maven POM file dependency information" + }, + { + "spdxElementId": "SPDXRef-example", + "relationshipType": "DYNAMIC_LINK", + "relatedSpdxElement": "SPDXRef-log4jApi", + "comment": "Relationship based on Maven POM file dependency information" + }, + { + "spdxElementId": "SPDXRef-example", + "relationshipType": "DYNAMIC_LINK", + "relatedSpdxElement": "SPDXRef-log4jImpl", + "comment": "Relationship based on Maven POM file dependency information" + }, + { + "spdxElementId": "SPDXRef-appsource", + "relationshipType": "GENERATES", + "relatedSpdxElement": "SPDXRef-example", + "comment": "" + }, + { + "spdxElementId": "SPDXRef-apptest", + "relationshipType": "TEST_CASE_OF", + "relatedSpdxElement": "SPDXRef-example", + "comment": "" + } + ] +} \ No newline at end of file diff --git a/software/example14/spdx2.3/examplemaven-0.0.1-enriched.spdx.json b/software/example14/spdx2.3/examplemaven-0.0.1-enriched.spdx.json new file mode 100644 index 0000000..356b09a --- /dev/null +++ b/software/example14/spdx2.3/examplemaven-0.0.1-enriched.spdx.json @@ -0,0 +1,225 @@ +{ + "spdxVersion": "SPDX-2.3", + "dataLicense": "CC0-1.0", + "SPDXID": "SPDXRef-DOCUMENT", + "name": "examplemaven", + "documentNamespace": "http://spdx.org/documents/examplemaven-0.0.1/enriched", + "creationInfo": { + "licenseListVersion": "3.18", + "creators": [ + "Person: Gary O'Neall", + "Tool: spdx-maven-plugin", + "Tool: Parlay" + ], + "created": "2024-11-18T10:22:12Z" + }, + "externalDocumentRefs" : [ { + "externalDocumentId" : "DocumentRef-original", + "checksum" : { + "algorithm" : "SHA1", + "checksumValue" : "3f9deeef2efdbb0eb4b15ec216f5c4e3af2d13e2" + }, + "spdxDocument" : "http://spdx.org/documents/examplemaven-0.0.1" + } ], + "packages": [ + { + "name": "JUnit", + "SPDXID": "SPDXRef-junit", + "versionInfo": "3.8.1", + "originator": "Organization: JUnit", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "homepage": "http://junit.org", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "CPL-1.0", + "copyrightText": "UNSPECIFIED", + "summary": "JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.", + "description": "JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java." + }, + { + "name": "Apache Log4j SLF4J Binding", + "SPDXID": "SPDXRef-log4jslf4jbinding", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "UNSPECIFIED", + "summary": "The Apache Log4j SLF4J API binding to Log4j 2 Core", + "description": "The Apache Log4j SLF4J API binding to Log4j 2 Core" + }, + { + "name": "SLF4J API Module", + "SPDXID": "SPDXRef-log4jslf4jApi", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "homepage": "http://www.slf4j.org", + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "UNSPECIFIED", + "summary": "The slf4j API", + "description": "The slf4j API" + }, + { + "name": "Apache Log4j API", + "SPDXID": "SPDXRef-log4jApi", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "UNSPECIFIED", + "summary": "The Apache Log4j API", + "description": "The Apache Log4j API" + }, + { + "name": "Apache Log4j Core", + "SPDXID": "SPDXRef-log4jImpl", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": false, + "licenseConcluded": "NOASSERTION", + "licenseDeclared": "NOASSERTION", + "copyrightText": "UNSPECIFIED", + "summary": "The Apache Log4j Implementation", + "description": "The Apache Log4j Implementation" + }, + { + "name": "examplemaven", + "SPDXID": "SPDXRef-example", + "versionInfo": "0.0.1", + "packageFileName": "examplemaven-0.0.1.jar", + "supplier": "Organization: SPDX", + "originator": "Organization: Linux Foundation", + "downloadLocation": "NOASSERTION", + "filesAnalyzed": true, + "packageVerificationCode": { + "packageVerificationCodeValue": "c12417def36d7804096521de4280721e5863e68b" + }, + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "b8a7e6c75001e6d78625cfc9a3103bf121abf8b4" + } + ], + "homepage": "https://github.com/spdx/spdx-examples", + "licenseConcluded": "Apache-2.0", + "licenseInfoFromFiles": [ + "Apache-2.0" + ], + "licenseDeclared": "Apache-2.0", + "copyrightText": "Copyright (c) 2022 Source Auditor Inc.", + "summary": "This is a simple example Maven project created using the Maven quickstart archetype with one dependency added.", + "description": "This is a simple example Maven project created using the Maven quickstart archetype with one dependency added.", + "primaryPackagePurpose": "LIBRARY" + } + ], + "files": [ + { + "fileName": "./src/main/java/org/spdx/examplemaven/App.java", + "SPDXID": "SPDXRef-appsource", + "fileTypes": [ + "SOURCE" + ], + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "a6f47dbc7e4615058490055172fe0065c55f8fc5" + } + ], + "licenseConcluded": "Apache-2.0", + "licenseInfoInFiles": [ + "Apache-2.0" + ], + "licenseComments": "This file contains SPDX-License-Identifiers for Apache-2.0", + "copyrightText": "Copyright (c) 2020 Source Auditor Inc.", + "noticeText": "SPDX-License-Identifier: Apache-2.0\nCopyright (c) 2022 Source Auditor Inc.", + "fileContributors": [ + "Gary O'Neall" + ] + }, + { + "fileName": "./src/test/java/org/spdx/examplemaven/AppTest.java", + "SPDXID": "SPDXRef-apptest", + "fileTypes": [ + "SOURCE" + ], + "checksums": [ + { + "algorithm": "SHA1", + "checksumValue": "4b4df52d36588c8e9482d56eebc42336447f3dad" + } + ], + "licenseConcluded": "Apache-2.0", + "licenseInfoInFiles": [ + "Apache-2.0" + ], + "licenseComments": "This file contains SPDX-License-Identifiers for Apache-2.0", + "copyrightText": "Copyright (c) 2020 Source Auditor Inc.", + "noticeText": "SPDX-License-Identifier: Apache-2.0\nCopyright (c) 2022 Source Auditor Inc.", + "fileContributors": [ + "Gary O'Neall" + ] + } + ], + "relationships": [ + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "DocumentRef-original:SPDXRef-DOCUMENT", + "relationshipType": "AMENDS", + "comment": "The original document and been enriched by the Parlay application" + }, + { + "spdxElementId": "SPDXRef-junit", + "relatedSpdxElement": "SPDXRef-example", + "relationshipType": "TEST_DEPENDENCY_OF", + "comment": "Relationship created based on Maven POM information" + }, + { + "spdxElementId": "SPDXRef-example", + "relatedSpdxElement": "SPDXRef-log4jslf4jbinding", + "relationshipType": "DYNAMIC_LINK", + "comment": "Relationship based on Maven POM file dependency information" + }, + { + "spdxElementId": "SPDXRef-example", + "relatedSpdxElement": "SPDXRef-log4jslf4jApi", + "relationshipType": "DYNAMIC_LINK", + "comment": "Relationship based on Maven POM file dependency information" + }, + { + "spdxElementId": "SPDXRef-example", + "relatedSpdxElement": "SPDXRef-log4jApi", + "relationshipType": "DYNAMIC_LINK", + "comment": "Relationship based on Maven POM file dependency information" + }, + { + "spdxElementId": "SPDXRef-example", + "relatedSpdxElement": "SPDXRef-log4jImpl", + "relationshipType": "DYNAMIC_LINK", + "comment": "Relationship based on Maven POM file dependency information" + }, + { + "spdxElementId": "SPDXRef-appsource", + "relatedSpdxElement": "SPDXRef-example", + "relationshipType": "GENERATES" + }, + { + "spdxElementId": "SPDXRef-apptest", + "relatedSpdxElement": "SPDXRef-example", + "relationshipType": "TEST_CASE_OF" + }, + { + "spdxElementId": "SPDXRef-DOCUMENT", + "relatedSpdxElement": "SPDXRef-example", + "relationshipType": "DESCRIBES" + }, + { + "spdxElementId": "SPDXRef-example", + "relatedSpdxElement": "SPDXRef-appsource", + "relationshipType": "CONTAINS" + }, + { + "spdxElementId": "SPDXRef-example", + "relatedSpdxElement": "SPDXRef-apptest", + "relationshipType": "CONTAINS" + } + ] +} \ No newline at end of file From 83d438bc9b010ec51cf2278147a85a2a8904ab6b Mon Sep 17 00:00:00 2001 From: Gary O'Neall Date: Wed, 8 Jan 2025 14:59:07 -0800 Subject: [PATCH 2/2] Allow json files to be in content --- .github/workflows/pull_request.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 7c9e45d..e2ef1e9 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -14,6 +14,7 @@ jobs: run: | find . \( -name '*.spdx' -o -name '*.json' \) \ -not -path './presentations/*' \ + -not -path '*/content/*' \ -not -path './tools-java/*' \ -not -path '*/spdx2.2/*' \ -not -path '*/spdx2.3/*' \