Proposal: formally capture External Identifiers (e.g. Maven GAV, NIST CPE) by which a Package is known in SPDX

[Bill Schineller]

Hello Tech Team,
   My proposal is to "Formally capture External Identifiers (e.g. Maven GAV, 
NIST CPE) by which a Package is known in SPDX”

   I’ve entered as an Enhancement request in bugzilla

https://bugs.linuxfoundation.org/show_bug.cgi?id=1295


Capture External Identifiers (e.g. Maven GAV, NIST CPE)  by which a Package is
known in SPDX doc.

So that SPDX data can be easily correlated with data that other repositories,
package management, build systems have about the package.

Each of these external systems has their own format for a specific version of a
'package' (what SPDX calls a package, other systems might call an 'artifact' or
Vendor-Product-Version...)


1) Maven
Format: <Group>:<Artifact>[:<Version>]
Example:  activemq:activemq-transport-http:1.3<http://1.0.0.3/>

2) CPE  (Common Product Enumeration)  see https://cpe.mitre.org/specification/
Format: cpe:/a:<Vendor>:<Product>:<Version>[:<Update>][:<Edition> | packed
field]
Example:  cpe:/a:acegisecurity:acegi-security:1.0.3

3) Rubygems
Format: <component name>[/<release>]
Example: ActionTimer/0.0.2

4) npmjs
Format: <component name>[/<release>]
Example: rethinkdbdash/1.16.3

5) NuGet
Format: <component name>[/<release>]
Example:  AForge.Controls/2.2.3

6) PyPI
Format: Format: <component name>[/<release>]
Example: medialog.iconpicker/0.2.3


I suggest we make the list of supported external systems as broad as possible.

Within each system, an understanding of their own specifications and 
conventions needs to be vetted.  (For example use of colons or slashes in such 
a way that the system can be expressed in a single string, and used when 
resolving the particular version of some package with that system’s tools, 
APIs, or on their website.

From: "kate.stew...@att.net<mailto:kate.stew...@att.net>" 
<kate.stew...@att.net<mailto:kate.stew...@att.net>>
Reply-To: "kate.stew...@att.net<mailto:kate.stew...@att.net>" 
<kate.stew...@att.net<mailto:kate.stew...@att.net>>
Date: Tuesday, June 23, 2015 at 10:47 AM
To: Gary O'Neall <g...@sourceauditor.com<mailto:g...@sourceauditor.com>>, Jack 
Manbeck <j-manbe...@ti.com<mailto:j-manbe...@ti.com>>, bschineller 
<bschinel...@blackducksoftware.com<mailto:bschinel...@blackducksoftware.com>>
Subject: SPDX Tech Meeting Agenda for today

Hi,
     Just a reminder that I'm not going to be able to join the meeting today.
On the agenda is:


  *   2015-06-23

  *   External package identifiers (maven, python, etc.) (AI: Bill to send out 
proposal prior to meeting)
  *   List of best practices examples to be fleshed out (AI: Jack)


Hi Bill,
    can you send out the proposal soon, so folks have a chance to look at it?
I'll comment, as I can on the mail list or after reading the minutes.

Thanks, Kate

_______________________________________________
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech