On 10/6/21 1:51 PM, Christopher Lusk wrote:
Below you will find a sample of the output that I am generating using
the create-spdx.bbclass found within oe-core and layers like
meta-doubleopen:
Sample output:
Text Description automatically generated with medium confidence
The data field names do not match up with those set forth by the Linux
Foundation for SPDX output related to SBOMs (below), i.e. name should
appear as PackageName and version information would appear as
PackageVersion instead of the versionInfo shown above.
Those fields are when the SPDX document is in "tag" format. We chose to
write our documents in JSON format because it is much easier to deal
with programmatically. Even though the JSON format is not described in
the SPDX documentation, my understanding is that it is an allowed format
(you can find the schema here:
https://github.com/spdx/spdx-spec/blob/development/v2.2.2/schemas/spdx-schema.json),
and most of the SPDX tools are able to handle JSON input as well.
If you really want tag format, I believe there are SPDX tools that can
convert from JSON to tag format for you
In addition to this, I was curious to know if there are plans to
update the Yocto where SPDX output would map to and populate all data
fields related to the NTIA’s minimum and recommended fields for an
SBOM
(https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf
<https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf>)?
We have a large amount of SBOM information that we can provide, and I
think we would like to eventually make it possible to include all of it.
I cannot say whether that is a sufficient amount of information to
satisfy any particular government or organization requirements. Someone
would need to perform an evaluation of each particular set of
requirements, and ideally share the results back with us.
I am unaware if anyone has evaluated that *specific* document to see if
what we produce would satisfy the requirements listed there (if they
have, perhaps they can chime in). If that is something you have interest
in, you might consider doing that evaluation and sharing it with us;
from there we can determine what the next steps might be if there are
areas where we are deficient.
Thanks.
------------------------------------------------------------------------
*Christopher D. Lusk*
Product Security Analyst
Product Security Office
Lenovo
emailcl...@lenovo.com <mailto:cl...@lenovo.com>
Lenovo.com <http://www.lenovo.com/>
Twitter <http://twitter.com/lenovo>|Instagram
<https://instagram.com/lenovo>|Facebook
<http://www.facebook.com/lenovo>|Linkedin
<http://www.linkedin.com/company/lenovo>|YouTube
<http://www.youtube.com/lenovovision>|Privacy
<https://www.lenovo.com/gb/en/privacy-selector/>
*From:* Joshua Watt <jpewhac...@gmail.com>
*Sent:* Wednesday, October 6, 2021 10:56 AM
*To:* Christopher Lusk <cl...@lenovo.com>
*Cc:* openembedded-core@lists.openembedded.org
*Subject:* [External] Re: SPDX Data Fields in Open Embedded
On Wed, Oct 6, 2021 at 9:44 AM Christopher Lusk <cl...@lenovo.com
<mailto:cl...@lenovo.com>> wrote:
Hello all,
I am reaching out to inquire about an issue I have experienced as
it relates to SPDX output from the oe-core build process and
specifically the create-spdx.bbclass output. The data fields in
the output that I have produced do not line up with the SPDX data
field standards (see below) set forth by the Linux Foundation.
My question is if there are plans to update the create-spdx code
so that the output fields align with those set forth by both NTIA
and Linux Foundation?
*SPDX Mapped Field*
PackageSupplier:
PackageName:
PackageVersion:
SPDXID:
Relationship: CONTAINS
Creator:
PackageChecksum:
Can you be a little more specific and possibly provide examples of
what you are expecting to see and what it is actually generating? We
are trying to adhere to the SPDX spec, but it is possible there is
something we misinterpreted or are doing incorrectly.
Source -
https://www.ntia.gov/files/ntia/publications/ntia_sbom_formats_and_standards_whitepaper_-_version_20191025.pdf
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ntia.gov%2Ffiles%2Fntia%2Fpublications%2Fntia_sbom_formats_and_standards_whitepaper_-_version_20191025.pdf&data=04%7C01%7Cclusk%40lenovo.com%7Cbdb17ccb86184605f9cb08d988d96584%7C5c7d0b28bdf8410caa934df372b16203%7C1%7C0%7C637691289675514957%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=SSFfnZyYjwTHpOiNK7tcoxQ4Yhy1PGUlE0PhQlrhdYE%3D&reserved=0>
Thanks.
------------------------------------------------------------------------
*Christopher D. Lusk*
Product Security Analyst
Product Security Office
Lenovo
emailcl...@lenovo.com <mailto:cl...@lenovo.com>
Lenovo.com <http://www.lenovo.com/>
Twitter
<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwitter.com%2Flenovo&data=04%7C01%7Cclusk%40lenovo.com%7Cbdb17ccb86184605f9cb08d988d96584%7C5c7d0b28bdf8410caa934df372b16203%7C1%7C0%7C637691289675514957%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MQ%2BN6B3o9Wb7xBXpiz2pw%2B4FjqKEPQ9d7CUzrhYadsk%3D&reserved=0>|Instagram
<https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Finstagram.com%2Flenovo&data=04%7C01%7Cclusk%40lenovo.com%7Cbdb17ccb86184605f9cb08d988d96584%7C5c7d0b28bdf8410caa934df372b16203%7C1%7C0%7C637691289675524920%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=pkt6VXw51nW7eKxiGFgM3sDBfa%2Bbp9KQDe0fDpjyo%2FY%3D&reserved=0>|Facebook
<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2Flenovo&data=04%7C01%7Cclusk%40lenovo.com%7Cbdb17ccb86184605f9cb08d988d96584%7C5c7d0b28bdf8410caa934df372b16203%7C1%7C0%7C637691289675524920%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=SSQrE%2BtzY3IEs%2Fmdlyu49Dum1d6%2BfMSN3IGaS72to40%3D&reserved=0>|Linkedin
<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Flenovo&data=04%7C01%7Cclusk%40lenovo.com%7Cbdb17ccb86184605f9cb08d988d96584%7C5c7d0b28bdf8410caa934df372b16203%7C1%7C0%7C637691289675534868%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=4YpV9mUkTRhb1OmxdTjScTttVntx5obeG1OD3z10iRM%3D&reserved=0>|YouTube
<https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.youtube.com%2Flenovovision&data=04%7C01%7Cclusk%40lenovo.com%7Cbdb17ccb86184605f9cb08d988d96584%7C5c7d0b28bdf8410caa934df372b16203%7C1%7C0%7C637691289675544819%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=6uSGD%2Frt%2Bm6Hgin%2FS7J6qoXJbzJS7lKQSxQ7spR6B%2BY%3D&reserved=0>|Privacy
<https://www.lenovo.com/gb/en/privacy-selector/>
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#156702):
https://lists.openembedded.org/g/openembedded-core/message/156702
Mute This Topic: https://lists.openembedded.org/mt/86129547/21656
Group Owner: openembedded-core+ow...@lists.openembedded.org
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[arch...@mail-archive.com]
-=-=-=-=-=-=-=-=-=-=-=-