Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove support for SPDX #1053

Closed
stevespringett opened this issue May 25, 2021 · 2 comments
Closed

Remove support for SPDX #1053

stevespringett opened this issue May 25, 2021 · 2 comments
Assignees
@stevespringett
Labels
p2 Non-critical bugs, and features that help organizations to identify and reduce risk pending release technical debt
Milestone
4.3 (Project ACL ...

Comments

@stevespringett
Copy link
Member

In a recent draft response to NIST regarding the Executive Order, OpenSSF (Linux Foundation) had an initial statement from David Wheeler that they would pay to write SPDX plugins. SPDX is over ten years old, has fewer tools that other SBOM standards and LF has entertained the idea of paying others to support it.

image

The text was subsequently changed, however, David Wheeler is the Director of Open Source Supply Chain Security at the Linux Foundation, and is in a position of knowing strategically what the foundation is doing
https://docs.google.com/document/d/13SS6u2bQswfRYNi-WXm4dJZkgGHZK7slYZQ75HXTVns/edit?disco=AAAAIlxfpo4

comment

This type of forced standard does not align to the values of the Dependency-Track project.

Support for SPDX will be removed from a future version.

https://docs.google.com/document/d/13SS6u2bQswfRYNi-WXm4dJZkgGHZK7slYZQ75HXTVns/edit
@stevespringett stevespringett added technical debt p2 Non-critical bugs, and features that help organizations to identify and reduce risk labels May 25, 2021
@stevespringett stevespringett added this to the 4.4 milestone May 25, 2021
@stevespringett stevespringett self-assigned this May 25, 2021
@stevespringett
Copy link
Member Author

Clarification. This only applies to SPDX SBOMs, not SPDX license IDs or expressions.

@stevespringett
Copy link
Member Author

stevespringett commented May 29, 2021
edited
Loading

It has come to the attention of the OWASP and CycloneDX community, that SPDX is copying/pasting code, line-by-line from some CycloneDX projects into their own projects, without any form of attribution.

Two such examples are:

https://github.com/spdx/spdx-sbom-generator/blob/693b2a2df4c166b097e3c7c09df6861250e8e877/internal/modules/gomod/handler.go#L125-L138
vs.
https://github.com/CycloneDX/cyclonedx-gomod/blob/91534cd0bedaaea8d50af2eb6a4a03cb9cd0d605/internal/gomod/gomod.go#L177-L190

https://github.com/spdx/spdx-sbom-generator/blob/693b2a2df4c166b097e3c7c09df6861250e8e877/internal/modules/gomod/handler.go#L64-L81
vs.
https://github.com/CycloneDX/cyclonedx-gomod/blob/cb6081aaaeaccba1b47477b968079e718db49427/internal/gocmd/gocmd.go#L11-L29

Giving credit appears to be a hard thing for the SPDX team to do: (CycloneDX/cyclonedx-gomod#20 (comment) -> https://twitter.com/lorenc_dan/status/1397879783078379522).

Due to these practices, removal of SPDX from OWASP Dependency-Track has been expedited. No future release of Dependency-Track will include support for SPDX.

stevespringett added a commit that referenced this issue May 29, 2021
@stevespringett
#1053 - Removed support for SPDX tag/value and RDF formats. Removed l…
ff966ee 
…egacy SPDX Tools library. Added Apache Commons Compress that previously came in through a dependency of SPDX Tools. Updated documentation to reflect this change.
@stevespringett stevespringett mentioned this issue May 29, 2021
Merged
stevespringett added a commit that referenced this issue May 30, 2021
@stevespringett
#1053 - Fixed unit test
cd9c2f7
stevespringett added a commit to DependencyTrack/frontend that referenced this issue May 30, 2021
@stevespringett
Removing support for configuring SPDX from frontend - DependencyTrack…
e17f910 
…/dependency-track#1053
@DependencyTrack DependencyTrack locked as resolved and limited conversation to collaborators May 30, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@stevespringett stevespringett

Labels
p2 Non-critical bugs, and features that help organizations to identify and reduce risk pending release technical debt
Projects
None yet
Milestone
4.3 (Project ACL Only)
Development

No branches or pull requests
1 participant
@stevespringett