Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Adapt new and existing package metadata as SPDX relationships #476

Open
Tracked by #444
wagoodman opened this issue Aug 10, 2021 · 7 comments · Fixed by #507
Open
Tracked by #444

Adapt new and existing package metadata as SPDX relationships #476

wagoodman opened this issue Aug 10, 2021 · 7 comments · Fixed by #507
Labels
blocked Progress is being stopped by something enhancement New feature or request format:spdx SPDX related enhancement or bug

Comments

@wagoodman
Copy link
Contributor

wagoodman commented Aug 10, 2021

SPDX has the concept of relationships that can be applied to packages, files, or other artifacts. This issue aims to explore what existing metadata can be expressed via SPDX relationships as well as potentially add more metadata to collect via the catalogers that can be expressed as SPDX relationships.

Internal to syft there is already the concept of package-to-package relationships, what isn't clear is if this should be further expanded generally or isolated only to the SPDX presenter (which is generally a new concept, since all data typically gets expressed via the JSON model first).

@wagoodman wagoodman mentioned this issue Aug 10, 2021
2 tasks
@wagoodman wagoodman changed the title Adapt new and existing package metadata as SPDX relationships [SPDX] Adapt new and existing package metadata as SPDX relationships Aug 10, 2021
@luhring luhring added the enhancement New feature or request label Aug 10, 2021
@wagoodman wagoodman added the I/O Describes bug or enhancement around application input or output label Aug 23, 2021
@spiffcs spiffcs self-assigned this Sep 10, 2021
@spiffcs
Copy link
Contributor

spiffcs commented Sep 13, 2021

I've been doing research on this since Friday afternoon and this AM. The first questions I have concerns this repository:
https://github.com/spdx/tools-golang

The library is hosted by the spdx organization and defines roughly the same model we do in presenter/packagers/model/spdx22.

If we want to express SPDX relationships for 2.2 correctly I think the first discussion should be around if we move to their model or keep our presenter model.

The tough part with this proposal is that their model is not designed as a presenter (no JSON tags).

They take a pretty interesting approach as far as marshalling/unmarshalling.

Check out their parsing code here.

@wagoodman if you have time today can we talk a bit about the complexity of juggling our JSON model against the spdx tool model and then wrapping that into a "correct" presenter?

@kzantow
Copy link
Contributor

kzantow commented Sep 13, 2021

One thing of note: I think CycloneDX also has a way of specifying dependencies using a bom-ref: https://cyclonedx.org/use-cases/#dependency-graph so we would quite possibly want this handled somehow in our own model. Although it is possible this is just a reference within the own document, it's a bit unclear to me.

@spiffcs
Copy link
Contributor

spiffcs commented Sep 14, 2021

Added - #507 as a starting point to build out the initial ROOT --> Package relationships. This PR makes the assumption that packages discovered by the cataloger are all directly related to the scanned image/directory.

@spiffcs
Copy link
Contributor

spiffcs commented Sep 15, 2021

#507 has been updated to now populate Files and include vertices between Packages and Files in the Relationships field

@spiffcs
Copy link
Contributor

spiffcs commented Sep 20, 2021

Before we dig further into relationships it's probably worth tackling some of the prioritized bugs we have surrounding SPDX. I pulled in #460 to make some progress in cleaning up our license section.

@spiffcs spiffcs linked a pull request Sep 20, 2021 that will close this issue
@spiffcs
Copy link
Contributor

spiffcs commented Sep 28, 2021

@luhring The next steps for making this better is starting to dive on the architecture changes we talked about on Monday.

#516

We'll work on refining this issue so we have a clear path to get syfts command API in the right place.

@wagoodman wagoodman changed the title [SPDX] Adapt new and existing package metadata as SPDX relationships Adapt new and existing package metadata as SPDX relationships Oct 16, 2021
@wagoodman wagoodman added the format:spdx SPDX related enhancement or bug label Oct 16, 2021
@spiffcs spiffcs removed their assignment Oct 19, 2021
@wagoodman wagoodman added the blocked Progress is being stopped by something label Oct 19, 2021
@wagoodman
Copy link
Contributor Author

wagoodman commented Oct 19, 2021

I've broken out package relationships work into #572 such that package catalogers raise this information before presenters/formats can leverage them (such as SPDX).

@wagoodman wagoodman added this to OSS Feb 7, 2024
@wagoodman wagoodman removed the I/O Describes bug or enhancement around application input or output label Feb 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocked Progress is being stopped by something enhancement New feature or request format:spdx SPDX related enhancement or bug
Projects
Status: No status
Development

Successfully merging a pull request may close this issue.

4 participants