Re: [OE-core] [External] Re: SPDX Data Fields in Open Embedded

Wed, 06 Oct 2021 13:17:18 -0700 


On 10/6/21 1:51 PM, Christopher Lusk wrote:



Below you will find a sample of the output that I am generating using 
the create-spdx.bbclass found within oe-core and layers like 
meta-doubleopen:


Sample output:

Text Description automatically generated with medium confidence


The data field names do not match up with those set forth by the Linux 
Foundation for SPDX output related to SBOMs (below), i.e. name should 
appear as PackageName and version information would appear as 
PackageVersion instead of the versionInfo  shown above.



Those fields are when the SPDX document is in "tag" format. We chose to 
write our documents in JSON format because it is much easier to deal 
with programmatically. Even though the JSON format is not described in 
the SPDX documentation, my understanding is that it is an allowed format 
(you can find the schema here: 
https://github.com/spdx/spdx-spec/blob/development/v2.2.2/schemas/spdx-schema.json), 
and most of the SPDX tools are able to handle JSON input as well.




If you really want tag format, I believe there are SPDX tools that can 
convert from JSON to tag format for you




In addition to this, I was curious to know if there are plans to 
update the Yocto where SPDX output would map to and populate all data 
fields related to the NTIA’s minimum and recommended fields for an 
SBOM 
(https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf 
<https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf>)? 






We have a large amount of SBOM information that we can provide, and I 
think we would like to eventually make it possible to include all of it. 
I cannot say whether that is a sufficient amount of information to 
satisfy any particular government or organization requirements. Someone 
would need to perform an evaluation of each particular set of 
requirements, and ideally share the results back with us.




I am unaware if anyone has evaluated that *specific* document to see if 
what we produce would satisfy the requirements listed there (if they 
have, perhaps they can chime in). If that is something you have interest 
in, you might consider doing that evaluation and sharing it with us; 
from there we can determine what the next steps might be if there are 
areas where we are deficient.




Thanks.

------------------------------------------------------------------------

*Christopher D. Lusk*
Product Security Analyst
Product Security Office
Lenovo

        


emailcl...@lenovo.com <mailto:cl...@lenovo.com>

Lenovo.com <http://www.lenovo.com/>

Twitter <http://twitter.com/lenovo>|Instagram 
<https://instagram.com/lenovo>|Facebook 
<http://www.facebook.com/lenovo>|Linkedin 
<http://www.linkedin.com/company/lenovo>|YouTube 
<http://www.youtube.com/lenovovision>|Privacy 
<https://www.lenovo.com/gb/en/privacy-selector/>


        

        

*From:* Joshua Watt <jpewhac...@gmail.com>
*Sent:* Wednesday, October 6, 2021 10:56 AM
*To:* Christopher Lusk <cl...@lenovo.com>
*Cc:* openembedded-core@lists.openembedded.org
*Subject:* [External] Re: SPDX Data Fields in Open Embedded


On Wed, Oct 6, 2021 at 9:44 AM Christopher Lusk <cl...@lenovo.com 
<mailto:cl...@lenovo.com>> wrote:


    Hello all,

    I am reaching out to inquire about an issue I have experienced as
    it relates to SPDX output from the oe-core build process and
    specifically the create-spdx.bbclass output.  The data fields in
    the output that I have produced do not line up with the SPDX data
    field standards (see below) set forth by the Linux Foundation.

    My question is if there are plans to update the create-spdx code
    so that the output fields align with those set forth by both NTIA
    and Linux Foundation?

    *SPDX Mapped Field*

    PackageSupplier:

    PackageName:

    PackageVersion:

    SPDXID:

    Relationship: CONTAINS

    Creator:

    PackageChecksum:


Can you be a little more specific and possibly provide examples of 
what you are expecting to see and what it is actually generating? We 
are trying to adhere to the SPDX spec, but it is possible there is 
something we misinterpreted or are doing incorrectly.


    Source -
    
https://www.ntia.gov/files/ntia/publications/ntia_sbom_formats_and_standards_whitepaper_-_version_20191025.pdf
    
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ntia.gov%2Ffiles%2Fntia%2Fpublications%2Fntia_sbom_formats_and_standards_whitepaper_-_version_20191025.pdf&data=04%7C01%7Cclusk%40lenovo.com%7Cbdb17ccb86184605f9cb08d988d96584%7C5c7d0b28bdf8410caa934df372b16203%7C1%7C0%7C637691289675514957%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=SSFfnZyYjwTHpOiNK7tcoxQ4Yhy1PGUlE0PhQlrhdYE%3D&reserved=0>

    Thanks.

    ------------------------------------------------------------------------

    *Christopher D. Lusk*
    Product Security Analyst
    Product Security Office
    Lenovo

        


    emailcl...@lenovo.com <mailto:cl...@lenovo.com>

    Lenovo.com <http://www.lenovo.com/>
    Twitter
    
<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwitter.com%2Flenovo&data=04%7C01%7Cclusk%40lenovo.com%7Cbdb17ccb86184605f9cb08d988d96584%7C5c7d0b28bdf8410caa934df372b16203%7C1%7C0%7C637691289675514957%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MQ%2BN6B3o9Wb7xBXpiz2pw%2B4FjqKEPQ9d7CUzrhYadsk%3D&reserved=0>|Instagram
    
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Finstagram.com%2Flenovo&data=04%7C01%7Cclusk%40lenovo.com%7Cbdb17ccb86184605f9cb08d988d96584%7C5c7d0b28bdf8410caa934df372b16203%7C1%7C0%7C637691289675524920%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=pkt6VXw51nW7eKxiGFgM3sDBfa%2Bbp9KQDe0fDpjyo%2FY%3D&reserved=0>|Facebook
    
<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2Flenovo&data=04%7C01%7Cclusk%40lenovo.com%7Cbdb17ccb86184605f9cb08d988d96584%7C5c7d0b28bdf8410caa934df372b16203%7C1%7C0%7C637691289675524920%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=SSQrE%2BtzY3IEs%2Fmdlyu49Dum1d6%2BfMSN3IGaS72to40%3D&reserved=0>|Linkedin
    
<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Flenovo&data=04%7C01%7Cclusk%40lenovo.com%7Cbdb17ccb86184605f9cb08d988d96584%7C5c7d0b28bdf8410caa934df372b16203%7C1%7C0%7C637691289675534868%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=4YpV9mUkTRhb1OmxdTjScTttVntx5obeG1OD3z10iRM%3D&reserved=0>|YouTube
    
<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.youtube.com%2Flenovovision&data=04%7C01%7Cclusk%40lenovo.com%7Cbdb17ccb86184605f9cb08d988d96584%7C5c7d0b28bdf8410caa934df372b16203%7C1%7C0%7C637691289675544819%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=6uSGD%2Frt%2Bm6Hgin%2FS7J6qoXJbzJS7lKQSxQ7spR6B%2BY%3D&reserved=0>|Privacy
    <https://www.lenovo.com/gb/en/privacy-selector/>

        

        


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#156702): 
https://lists.openembedded.org/g/openembedded-core/message/156702
Mute This Topic: https://lists.openembedded.org/mt/86129547/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-























					Reply via email to