From 89d76d625ecb1a537a74a1cb49c3c6a55eb8c9bf Mon Sep 17 00:00:00 2001 From: Daniel Bevenius Date: Wed, 12 Apr 2023 14:03:52 +0200 Subject: [PATCH 1/2] Update SPDX predicate specification This commit contains a suggestion for updating the SPDX predicate specification, to include the version in the predicateType. The motivation for this change is same to the motivation that was mentioned for including the version in the CycloneDX predicate specification which is that it allows a consumer to determine the version without having to parse the predicate itself. Signed-off-by: Daniel Bevenius --- spec/predicates/spdx.md | 56 ++++++++++++++++++++++++++++------------- 1 file changed, 39 insertions(+), 17 deletions(-) diff --git a/spec/predicates/spdx.md b/spec/predicates/spdx.md index 88bfc083..5c6c71ed 100644 --- a/spec/predicates/spdx.md +++ b/spec/predicates/spdx.md @@ -1,25 +1,47 @@ # Predicate type: SPDX -Type URI: (tentative) https://spdx.dev/Document +Type URI: https://spdx.dev/Document -Version: 1.0.0 - -TODO: Ask SPDX project to choose a URI and to review this spec. Ideally the URI -would resolve to this file. Also, decide whether we want the version number to -reflect the spdxVersion (e.g. 2.2) or have them be independent (no version -number in URI). +Version: 2.3 ## Purpose A Software Bill of Materials type following the -[SPDX standard](https://spdx.dev/specifications/). +[SPDX Specification]. This allows to represent an "exportable" or "published" software artifact. It can also be used as an entry point for other types of in-toto attestation when performing policy decisions. +## Prerequisites + +The in-toto [attestation] framework and a [SPDX generation tool]. + +## Model + +This is a predicate type that fits within the larger [Attestation] framework. + ## Schema +The schema of this predicate type is documented in the +[SPDX Specification]. + +### Parsing Rules + +The parsing rules for this predicate type are documented in the +[SPDX Specification]. + +### Fields + +The fields that make up this predicate type are documented in the +[SPDX specification]. + +The `predicate` contains a JSON-encoded SPDX document. +The `subject` contains whatever software artifacts are to be associated with +this SPDX document. + +## Example + ```jsonc { // Standard attestation fields: @@ -27,21 +49,21 @@ performing policy decisions. "subject": [{ ... }], // Predicate: - "predicateType": "https://spdx.dev/Document", + "predicateType": "https://spdx.dev/Document/v2.3", "predicate": { "SPDXID" : "SPDXRef-DOCUMENT", - "spdxVersion" : "SPDX-2.2", + "spdxVersion" : "SPDX-2.3", ... } } ``` -_(Note: This is a Predicate type that fits within the larger -[Attestation](../README.md) framework.)_ +## Changelog and Migrations -The `predicate` contains a JSON-encoded SPDX document. The SPDX format has a -mandatory `spdxVersion` field, so we omit the version number from the -`predicateType` URI to avoid confusion. +### Version 2.3 -The `subject` contains whatever software artifacts are to be associated with -this SPDX document. +- Added version to predicateType + +[Attestation]: ../README.md +[SPDX specification]: https://spdx.github.io/spdx-spec/v2.3 +[SPDX generation tool]: https://spdx.dev/resources/tools/ From 47c66bf2d1420854aeed8559a3a613ff8a25ca30 Mon Sep 17 00:00:00 2001 From: Daniel Bevenius Date: Wed, 12 Apr 2023 15:35:32 +0200 Subject: [PATCH 2/2] squash! Update SPDX predicate specification Add the removed TODO. Signed-off-by: Daniel Bevenius --- spec/predicates/spdx.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/spec/predicates/spdx.md b/spec/predicates/spdx.md index 5c6c71ed..f7a3de5a 100644 --- a/spec/predicates/spdx.md +++ b/spec/predicates/spdx.md @@ -4,6 +4,11 @@ Type URI: https://spdx.dev/Document Version: 2.3 +TODO: Ask SPDX project to choose a URI and to review this spec. Ideally the URI +would resolve to this file. Also, decide whether we want the version number to +reflect the spdxVersion (e.g. 2.2) or have them be independent (no version +number in URI). + ## Purpose A Software Bill of Materials type following the