From 985615ab9979d692fc50afb2d0e648548bc7d112 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Fri, 14 Jun 2024 11:41:48 +0100 Subject: [PATCH 1/4] Rename dir: spdx-3.0/ -> spdx3.0/ for consistency Follow naming convention used by spdx2.x examples Signed-off-by: Arthit Suriyawongkul --- .github/workflows/pull_request.yml | 4 ++-- software/README.md | 20 +++++++++++++----- software/example13/README.md | 14 ++++++++++-- .../example-13.drawio => example13.drawio} | 0 .../{example-13.png => example13.png} | Bin .../example13.spdx3.json} | 0 6 files changed, 29 insertions(+), 9 deletions(-) rename software/example13/{spdx-3.0/example-13.drawio => example13.drawio} (100%) rename software/example13/{example-13.png => example13.png} (100%) rename software/example13/{spdx-3.0/example-13-spdx-3.json => spdx3.0/example13.spdx3.json} (100%) diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml index 43a9474..6a0345d 100644 --- a/.github/workflows/pull_request.yml +++ b/.github/workflows/pull_request.yml @@ -16,7 +16,7 @@ jobs: -not -path './tools-java/*' \ -not -path '*/spdx2.2/*' \ -not -path '*/spdx2.3/*' \ - -not -path '*/spdx-3.0/*' | tee flist.txt + -not -path '*/spdx3.0/*' | tee flist.txt test "$(cat flist.txt | wc -l)" = "0" @@ -49,7 +49,7 @@ jobs: SPDX30_SCHEMA_URL="https://spdx.org/schema/3.0.0/spdx-json-schema.json" SPDX30_SHACL_URL="https://spdx.org/rdf/3.0.0/spdx-model.ttl" - for f in $(find . -type f -path '*/spdx-3.0/*.json'); do + for f in $(find . -type f -path '*/spdx3.0/*.json'); do echo "Checking $f..." check-jsonschema -v --schemafile $SPDX30_SCHEMA_URL $f pyshacl -s $SPDX30_SHACL_URL -e $SPDX30_SHACL_URL $f diff --git a/software/README.md b/software/README.md index baa86f1..bf9d484 100644 --- a/software/README.md +++ b/software/README.md @@ -1,8 +1,13 @@ # SPDX Software Usage Examples -This repository includes demonstrations of [SPDX documents](https://spdx.dev) for various examples of software combinations. +This repository includes demonstrations of [SPDX documents](https://spdx.dev) +for various examples of software combinations. -The examples include source code and built / packaged binaries for a variety of scenarios. The software in the repository is (for the most part) not taken from real projects. However, the examples are intended to be demonstrations of how SPDX can convey software bill of materials (SBOM) information for a variety of real-world scenarios. +The examples include source code and built / packaged binaries for a variety of +scenarios. The software in the repository is (for the most part) not taken from +real projects. However, the examples are intended to be demonstrations of how +SPDX can convey software bill of materials (SBOM) information for a variety of +real-world scenarios. ## Format of examples @@ -10,10 +15,16 @@ Directories of the form `example#` are structured as follows: - `content/src/`: contains the example's source code - `content/build/`: contains the example's built artifacts -- `spdx/`: contains one or more SPDX documents (in tag-value or JSON format) for the sources and the build artifacts +- `spdx2.2/`: contains one or more SPDX 2.2 documents (in tag-value or JSON + format) for the sources and the build artifacts +- `spdx3.0/`: contains one or more SPDX 3.0 documents for the sources and the + build artifacts + - `README.md`: more details about the particular example -Each directory contains build metadata which is used to create the build artifacts. It assumes that the necessary tools (make, gcc, etc.) are present on your system, and doesn't do any autoconfiguration or the like. +Each directory contains build metadata which is used to create the build +artifacts. It assumes that the necessary tools (make, gcc, etc.) are present on +your system, and doesn't do any autoconfiguration or the like. ## Examples @@ -32,4 +43,3 @@ Each directory contains build metadata which is used to create the build artifac | 11 | 1 Rust file | compiled with Cargo | 1 document | SBOM describing both source and artifact, related with GENERATED_FROM | | 12 | 1 Ruby library | built using `bundle` | 1 document | SBOM describing Ruby library packaged in a gem | | 13 | Bundled app with a package and container | No compiling - hypothetical example | Documents in progress | SBOM describing a hypothetical "Acme Aplication" | - diff --git a/software/example13/README.md b/software/example13/README.md index 26acfa5..5b43f70 100644 --- a/software/example13/README.md +++ b/software/example13/README.md @@ -2,6 +2,16 @@ ## Description -This is a hypothetical example of a "simple" piece of software, Acme Application version 1.3. This example shows what an SPDX-3.0 document looks like for said Acme Application. The idea for this example is that other profiles will be able to build on top of this and demonstrate how all the profiles can work in harmony. +This is a hypothetical example of a "simple" piece of software, Acme +Application version 1.3. This example shows what an SPDX-3.0 document looks +like for said Acme Application. The idea for this example is that other +profiles will be able to build on top of this and demonstrate how all the +profiles can work in harmony. -In this specific example, Acme Application is a bundled and distributed piece of software. When Acme Application is run, it pulls in the `alpine:latest` container image which runs in parallel to the `npm-elliptic` library that is packaged and distributed within the Acme Application binary. Among others not depicted for the sake of simplicity, `openssl` is a package included in the `alpine:latest` container image. The example-13 SBOM describes the Acme Application top level piece of software. +In this specific example, Acme Application is a bundled and distributed piece +of software. When Acme Application is run, it pulls in the `alpine:latest` +container image which runs in parallel to the `npm-elliptic` library that is +packaged and distributed within the Acme Application binary. Among others not +depicted for the sake of simplicity, `openssl` is a package included in the +`alpine:latest` container image. The example-13 SBOM describes the Acme +Application top level piece of software. diff --git a/software/example13/spdx-3.0/example-13.drawio b/software/example13/example13.drawio similarity index 100% rename from software/example13/spdx-3.0/example-13.drawio rename to software/example13/example13.drawio diff --git a/software/example13/example-13.png b/software/example13/example13.png similarity index 100% rename from software/example13/example-13.png rename to software/example13/example13.png diff --git a/software/example13/spdx-3.0/example-13-spdx-3.json b/software/example13/spdx3.0/example13.spdx3.json similarity index 100% rename from software/example13/spdx-3.0/example-13-spdx-3.json rename to software/example13/spdx3.0/example13.spdx3.json From d61f152c7087cebe774cbff1e6e792e66ca84b54 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Fri, 14 Jun 2024 11:49:26 +0100 Subject: [PATCH 2/4] Sort dir in list Signed-off-by: Arthit Suriyawongkul --- software/README.md | 16 ++++------------ 1 file changed, 4 insertions(+), 12 deletions(-) diff --git a/software/README.md b/software/README.md index bf9d484..bfd2ad9 100644 --- a/software/README.md +++ b/software/README.md @@ -1,30 +1,22 @@ # SPDX Software Usage Examples -This repository includes demonstrations of [SPDX documents](https://spdx.dev) -for various examples of software combinations. +This repository includes demonstrations of [SPDX documents](https://spdx.dev) for various examples of software combinations. -The examples include source code and built / packaged binaries for a variety of -scenarios. The software in the repository is (for the most part) not taken from -real projects. However, the examples are intended to be demonstrations of how -SPDX can convey software bill of materials (SBOM) information for a variety of -real-world scenarios. +The examples include source code and built / packaged binaries for a variety of scenarios. The software in the repository is (for the most part) not taken from real projects. However, the examples are intended to be demonstrations of how SPDX can convey software bill of materials (SBOM) information for a variety of real-world scenarios. ## Format of examples Directories of the form `example#` are structured as follows: -- `content/src/`: contains the example's source code - `content/build/`: contains the example's built artifacts +- `content/src/`: contains the example's source code - `spdx2.2/`: contains one or more SPDX 2.2 documents (in tag-value or JSON format) for the sources and the build artifacts - `spdx3.0/`: contains one or more SPDX 3.0 documents for the sources and the build artifacts - - `README.md`: more details about the particular example -Each directory contains build metadata which is used to create the build -artifacts. It assumes that the necessary tools (make, gcc, etc.) are present on -your system, and doesn't do any autoconfiguration or the like. +Each directory contains build metadata which is used to create the build artifacts. It assumes that the necessary tools (make, gcc, etc.) are present on your system, and doesn't do any autoconfiguration or the like. ## Examples From 59656c11988be0b8581c9327df88bafd6444f83b Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Fri, 14 Jun 2024 11:55:25 +0100 Subject: [PATCH 3/4] Use example# naming (w/o space, as other examples) Signed-off-by: Arthit Suriyawongkul --- software/example13/README.md | 14 ++------------ 1 file changed, 2 insertions(+), 12 deletions(-) diff --git a/software/example13/README.md b/software/example13/README.md index 5b43f70..c9b8107 100644 --- a/software/example13/README.md +++ b/software/example13/README.md @@ -2,16 +2,6 @@ ## Description -This is a hypothetical example of a "simple" piece of software, Acme -Application version 1.3. This example shows what an SPDX-3.0 document looks -like for said Acme Application. The idea for this example is that other -profiles will be able to build on top of this and demonstrate how all the -profiles can work in harmony. +This is a hypothetical example of a "simple" piece of software, Acme Application version 1.3. This example shows what an SPDX 3.0 document looks like for said Acme Application. The idea for this example is that other profiles will be able to build on top of this and demonstrate how all the profiles can work in harmony. -In this specific example, Acme Application is a bundled and distributed piece -of software. When Acme Application is run, it pulls in the `alpine:latest` -container image which runs in parallel to the `npm-elliptic` library that is -packaged and distributed within the Acme Application binary. Among others not -depicted for the sake of simplicity, `openssl` is a package included in the -`alpine:latest` container image. The example-13 SBOM describes the Acme -Application top level piece of software. +In this specific example, Acme Application is a bundled and distributed piece of software. When Acme Application is run, it pulls in the `alpine:latest` container image which runs in parallel to the `npm-elliptic` library that is packaged and distributed within the Acme Application binary. Among others not depicted for the sake of simplicity, `openssl` is a package included in the `alpine:latest` container image. The example13 SBOM describes the Acme Application top level piece of software. From a1fa8cc7f789afc2cbeefa43986dcbd21defcfb1 Mon Sep 17 00:00:00 2001 From: Arthit Suriyawongkul Date: Fri, 14 Jun 2024 11:57:05 +0100 Subject: [PATCH 4/4] Show a diagram in the README Signed-off-by: Arthit Suriyawongkul --- software/example13/README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/software/example13/README.md b/software/example13/README.md index c9b8107..87ff4f7 100644 --- a/software/example13/README.md +++ b/software/example13/README.md @@ -5,3 +5,5 @@ This is a hypothetical example of a "simple" piece of software, Acme Application version 1.3. This example shows what an SPDX 3.0 document looks like for said Acme Application. The idea for this example is that other profiles will be able to build on top of this and demonstrate how all the profiles can work in harmony. In this specific example, Acme Application is a bundled and distributed piece of software. When Acme Application is run, it pulls in the `alpine:latest` container image which runs in parallel to the `npm-elliptic` library that is packaged and distributed within the Acme Application binary. Among others not depicted for the sake of simplicity, `openssl` is a package included in the `alpine:latest` container image. The example13 SBOM describes the Acme Application top level piece of software. + +![A diagram of Acme Application](./example13.png "A diagram of Acme Application")