https://bugs.linuxfoundation.org/show_bug.cgi?id=1295
Bug #: 1295 Summary: formally capture External Identifiers (e.g. Maven GAV, NIST CPE) by which a Package is known in SPDX Product: SPDX Version: unspecified Platform: All OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: Spec AssignedTo: spdx-t...@fossbazaar.org ReportedBy: bschinel...@blackducksoftware.com Classification: Unclassified Capture External Identifiers (e.g. Maven GAV, NIST CPE) by which a Package is known in SPDX doc. So that SPDX data can be easily correlated with data that other repositories, package management, build systems have about the package. Each of these external systems has their own format for a specific version of a 'package' (what SPDX calls a package, other systems might call an 'artifact' or Vendor-Product-Version...) 1) Maven Format: <Group>:<Artifact>[:<Version>] Example: activemq:activemq-transport-http:1.3 2) CPE (Common Product Enumeration) see https://cpe.mitre.org/specification/ Format: cpe:/a:<Vendor>:<Product>:<Version>[:<Update>][:<Edition> | packed field] Example: cpe:/a:acegisecurity:acegi-security:1.0.3 3) Rubygems Format: <component name>[/<release>] Example: ActionTimer/0.0.2 4) npmjs Format: <component name>[/<release>] Example: rethinkdbdash/1.16.3 5) NuGet Format: <component name>[/<release>] Example: AForge.Controls/2.2.3 -- Configure bugmail: https://bugs.linuxfoundation.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. _______________________________________________ Spdx-tech mailing list Spdx-tech@lists.spdx.org https://lists.spdx.org/mailman/listinfo/spdx-tech