-
Notifications
You must be signed in to change notification settings - Fork 314
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for generating SPDX 2.3 and 3.0 files #5445
Comments
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
@goneall made the following list highlighting 2.3 versus 2.2 changes see spdx/spdx-spec#691 (comment) |
Note that this changes serialization of reference categories to use dashes instead of underscores [1]. Continue to accept underscores when deserializing for backward-compatibility, also see the discussion at [2]. Generally, deserialization of SPDX 2.2 is still supported. The diff of `spdx-schema.json` nicely resembles the code changes. Resolves #5445. [1]: https://github.com/spdx/spdx-spec/blob/v2.3/schemas/spdx-schema.json#L325 [2]: CycloneDX/cyclonedx-dotnet-library#267 Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
Note that this changes serialization of reference categories to use dashes instead of underscores [1]. Continue to accept underscores when deserializing for backward-compatibility, also see the discussion at [2]. Generally, deserialization of SPDX 2.2 is still supported. The diff of `spdx-schema.json` nicely resembles the code changes. Resolves #5445. [1]: https://github.com/spdx/spdx-spec/blob/v2.3/schemas/spdx-schema.json#L325 [2]: CycloneDX/cyclonedx-dotnet-library#267 Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
👋 team, fantastic project here. We have some teams that are using ORT and this support would come up quite handy as we are standardizing internal SBOMs in 2.3. I've noticed that there is a related MR and the issue has been coming in and out from the roadmap. Just out of curiosity, is this something that you plan to do in the short term? Also, we try to contribute to OSS as we understand very often priorities don't align. If the issue is technical or simply not enough time for doing everything and you guys accept contributions, we should be able to contribute here. |
Thank you ❤️
Yes, I had created this PR, but gave up on it as apparently several users (need to) stick with SPDX 2.2 as that's the ISO standard version (despite having many inconsistencies and ambiguities as e.g. mentioned here).
Yes, I'd say it's purely a technical / time problem. Now that reporters are purely independent plugin projects, my recommendation would actually be to write (and contribute back) a new SPDX reporter for SPDX 2.3 (and optionally also other versions) based on the "new" official SPDX library. Doing so would also give us a chance to properly investigate if some of the earlier concerns some of us had with using the official SPDX library still hold true. |
Thanks @sschuberth. Right, backwards compatibility makes sense there. Let me circle it back with the team. |
@mpermar - Let me know if I can help in any way in support of the SPDX Java library mentioned above. I'm one of the maintainers and would be very happy to see it being used in ORT. |
@oss-review-toolkit/core-devs agreed that the way forward should be to try taking the upstream SPDX Java library into use in a new reporter plugin. |
Glad to hear - I'm working on a version 2.0.0 of the SPDX libraries that support the 3.0 version of the spec (as well as the SPDX 2.X versions). There are some breaking changes in the 2.0.0 version and there is still some remaining work to be done. Even though the new version will be less stable than the previous version of the library, it may be worth waiting for due to the breaking changes. Review and feedback is welcome - the work is being done on the v3-prototype branch of the SPDX libraries. I'd be happy to provide more details if interested. I can also help with any oss-review-toolkit implementations once I finish the new version. |
Thanks @goneall for the feedback! Indeed I believe we should wait for version 2.0.0 then, and help maturing it. |
Just to add: we have several others tools in use that can create and/or consume SPDX files based on different versions/schemas. Would be really nice to have version agility within ORT for us in order to standardize on some common ground that all tools support. I love the approach wrt to using the upstream SPDX java library. Yay collaboration! |
FYI - An "Alpha Quality" version of the SPDX Java Library is now available for testing. See https://lists.spdx.org/g/Spdx-tech/message/5723 for the announcement. Let me know if you have any questions or feedback. |
Updated this issue to also include SPDX 3.0 which was released on Juli 9, 2024 and will be the next ISO version. |
SPDX will soon release SPDX 2.3 which at a high level includes the following changes
Propose we update ORT's SPDX Document Reporter so it can generate 2.2 and 2.3 (and later 3.0)
The text was updated successfully, but these errors were encountered: