https://bugs.linuxfoundation.org/show_bug.cgi?id=1295
Bug #: 1295
Summary: formally capture External Identifiers (e.g. Maven GAV,
NIST CPE) by which a Package is known in SPDX
Product: SPDX
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Spec
AssignedTo: spdx-t...@fossbazaar.org
ReportedBy: bschinel...@blackducksoftware.com
Classification: Unclassified
Capture External Identifiers (e.g. Maven GAV, NIST CPE) by which a Package is
known in SPDX doc.
So that SPDX data can be easily correlated with data that other repositories,
package management, build systems have about the package.
Each of these external systems has their own format for a specific version of a
'package' (what SPDX calls a package, other systems might call an 'artifact' or
Vendor-Product-Version...)
1) Maven
Format: <Group>:<Artifact>[:<Version>]
Example: activemq:activemq-transport-http:1.3
2) CPE (Common Product Enumeration) see https://cpe.mitre.org/specification/
Format: cpe:/a:<Vendor>:<Product>:<Version>[:<Update>][:<Edition> | packed
field]
Example: cpe:/a:acegisecurity:acegi-security:1.0.3
3) Rubygems
Format: <component name>[/<release>]
Example: ActionTimer/0.0.2
4) npmjs
Format: <component name>[/<release>]
Example: rethinkdbdash/1.16.3
5) NuGet
Format: <component name>[/<release>]
Example: AForge.Controls/2.2.3
--
Configure bugmail: https://bugs.linuxfoundation.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
_______________________________________________
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech
