Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for generating SPDX 2.3 and 3.0 files #5445

Open
tsteenbe opened this issue Jun 14, 2022 · 13 comments
Open

Add support for generating SPDX 2.3 and 3.0 files #5445

tsteenbe opened this issue Jun 14, 2022 · 13 comments
Labels
enhancement Issues that are considered to be enhancements reporter About the reporter tool

Comments

@tsteenbe
Copy link
Member

tsteenbe commented Jun 14, 2022

SPDX will soon release SPDX 2.3 which at a high level includes the following changes

  1. Support for exchanging security information see https://github.com/spdx/spdx-spec/blob/development/v2.3/chapters/external-repository-identifiers.md and https://github.com/spdx/spdx-spec/blob/development/v2.3/chapters/how-to-use.md
  2. Several fields have become optional see new SPDX 2.3 schema in https://github.com/spdx/spdx-spec/pull/716/files

Propose we update ORT's SPDX Document Reporter so it can generate 2.2 and 2.3 (and later 3.0)

@tsteenbe tsteenbe added enhancement Issues that are considered to be enhancements reporter About the reporter tool labels Jun 14, 2022
@tsteenbe

This comment was marked as outdated.

@tsteenbe tsteenbe moved this to Q2 2022 – Apr-Jun in Roadmap Jun 14, 2022
@tsteenbe tsteenbe added this to Roadmap Jun 14, 2022
@sschuberth

This comment was marked as outdated.

@tsteenbe
Copy link
Member Author

tsteenbe commented Jun 15, 2022

@goneall made the following list highlighting 2.3 versus 2.2 changes see spdx/spdx-spec#691 (comment)

@sschuberth sschuberth moved this from Q3 2022 – Jul-Sep to Q4 2022 - Oct-Dec in Roadmap Nov 2, 2022
@sschuberth sschuberth moved this from Q4 2022 - Oct-Dec to Future in Roadmap Jan 13, 2023
@sschuberth sschuberth self-assigned this Nov 9, 2023
sschuberth added a commit that referenced this issue Nov 9, 2023
Note that this changes serialization of reference categories to use
dashes instead of underscores [1]. Continue to accept underscores when
deserializing for backward-compatibility, also see the discussion at
[2]. Generally, deserialization of SPDX 2.2 is still supported.

The diff of `spdx-schema.json` nicely resembles the code changes.

Resolves #5445.

[1]: https://github.com/spdx/spdx-spec/blob/v2.3/schemas/spdx-schema.json#L325
[2]: CycloneDX/cyclonedx-dotnet-library#267

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
@sschuberth sschuberth moved this from Future to Q4 2023 – Oct-Dez in Roadmap Nov 10, 2023
sschuberth added a commit that referenced this issue Nov 17, 2023
Note that this changes serialization of reference categories to use
dashes instead of underscores [1]. Continue to accept underscores when
deserializing for backward-compatibility, also see the discussion at
[2]. Generally, deserialization of SPDX 2.2 is still supported.

The diff of `spdx-schema.json` nicely resembles the code changes.

Resolves #5445.

[1]: https://github.com/spdx/spdx-spec/blob/v2.3/schemas/spdx-schema.json#L325
[2]: CycloneDX/cyclonedx-dotnet-library#267

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
@sschuberth sschuberth removed their assignment Nov 25, 2023
@sschuberth sschuberth moved this from Q4 2023 – Oct-Dez to Future in Roadmap Nov 25, 2023
@mpermar
Copy link

mpermar commented Feb 20, 2024

👋 team, fantastic project here.

We have some teams that are using ORT and this support would come up quite handy as we are standardizing internal SBOMs in 2.3. I've noticed that there is a related MR and the issue has been coming in and out from the roadmap. Just out of curiosity, is this something that you plan to do in the short term?

Also, we try to contribute to OSS as we understand very often priorities don't align. If the issue is technical or simply not enough time for doing everything and you guys accept contributions, we should be able to contribute here.

@sschuberth
Copy link
Member

sschuberth commented Feb 20, 2024

👋 team, fantastic project here.

Thank you ❤️

I've noticed that there is a related MR and the issue has been coming in and out from the roadmap. Just out of curiosity, is this something that you plan to do in the short term?

Yes, I had created this PR, but gave up on it as apparently several users (need to) stick with SPDX 2.2 as that's the ISO standard version (despite having many inconsistencies and ambiguities as e.g. mentioned here).

If the issue is technical or simply not enough time for doing everything and you guys accept contributions, we should be able to contribute here.

Yes, I'd say it's purely a technical / time problem. Now that reporters are purely independent plugin projects, my recommendation would actually be to write (and contribute back) a new SPDX reporter for SPDX 2.3 (and optionally also other versions) based on the "new" official SPDX library. Doing so would also give us a chance to properly investigate if some of the earlier concerns some of us had with using the official SPDX library still hold true.

@mpermar
Copy link

mpermar commented Feb 20, 2024

Thanks @sschuberth. Right, backwards compatibility makes sense there. Let me circle it back with the team.

@goneall
Copy link

goneall commented Feb 20, 2024

@mpermar - Let me know if I can help in any way in support of the SPDX Java library mentioned above. I'm one of the maintainers and would be very happy to see it being used in ORT.

@sschuberth sschuberth added the help wanted An issue where third-party help is wanted on label Jul 1, 2024
@sschuberth
Copy link
Member

@oss-review-toolkit/core-devs agreed that the way forward should be to try taking the upstream SPDX Java library into use in a new reporter plugin.

@goneall
Copy link

goneall commented Jul 2, 2024

@oss-review-toolkit/core-devs agreed that the way forward should be to try taking the upstream SPDX Java library into use in a new reporter plugin.

Glad to hear - I'm working on a version 2.0.0 of the SPDX libraries that support the 3.0 version of the spec (as well as the SPDX 2.X versions).

There are some breaking changes in the 2.0.0 version and there is still some remaining work to be done. Even though the new version will be less stable than the previous version of the library, it may be worth waiting for due to the breaking changes. Review and feedback is welcome - the work is being done on the v3-prototype branch of the SPDX libraries.

I'd be happy to provide more details if interested. I can also help with any oss-review-toolkit implementations once I finish the new version.

@sschuberth
Copy link
Member

Thanks @goneall for the feedback! Indeed I believe we should wait for version 2.0.0 then, and help maturing it.

@grnrs
Copy link

grnrs commented Jul 4, 2024

Just to add: we have several others tools in use that can create and/or consume SPDX files based on different versions/schemas. Would be really nice to have version agility within ORT for us in order to standardize on some common ground that all tools support.

I love the approach wrt to using the upstream SPDX java library. Yay collaboration!

@sschuberth sschuberth removed the help wanted An issue where third-party help is wanted on label Jul 4, 2024
@goneall
Copy link

goneall commented Sep 6, 2024

FYI - An "Alpha Quality" version of the SPDX Java Library is now available for testing. See https://lists.spdx.org/g/Spdx-tech/message/5723 for the announcement. Let me know if you have any questions or feedback.

@tsteenbe tsteenbe changed the title Add support for generating SPDX 2.3 files Add support for generating SPDX 2.3 and 3.0 files Nov 13, 2024
@tsteenbe
Copy link
Member Author

Updated this issue to also include SPDX 3.0 which was released on Juli 9, 2024 and will be the next ISO version.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement Issues that are considered to be enhancements reporter About the reporter tool
Projects
Status: Future
Development

No branches or pull requests

6 participants