RE: Proposal: Security and Asset Management Identifier

[Gary O'Neall]

I have a rough idea how to handle the wide range of possible values for the 
unique identifier in RDF, but it has a downside in that the validation may be a 
bit complex.  Before I spend much time spec'ing out the solution, I would like 
to solicit some feedback on the approach.

 

The proposal is to parse out the packageExternalIdentifier into 2 properties - 
an identifierDomain and identifierValue.  These could be contained in a single 
class ExternalIdentifier.  The range of identifierValue could be anything 
(specifically Thing in RDF speak).  The identifierDomain would contain the 
information on what the domain is including things like the tag used to 
describe the domain, a URL pointing to a website describing the identifier, 
valid range for the identifierValue - basically what we would include in the 
table in the appendix of the spec describing the values.

 

The advantage of the above is the RDF document will contain within it 
everything you need to properly validate and parse the identifier value.

 

Here's an example (note, I have not taken the time to make this accurate or 
valid, just trying to convey the concept):

<pacakgeExternalIdentifier>

   <ExternalIdentifier>

      <identifierDomain rdf:resource="spdx:idDomain_cpe />

      <identifierValue>

          <nistCpe:WhateverTheClassNameForCPE> ... </ 
nistCpe:WhateverTheClassNameForCPE>

      </identifierValue>

   </ExternalIdentifer>

</pacakgeExternalIdentifier>

...

<IdentifierDomain rdf:about="spdx:idDomain_cpe>

    <name>CPE</name>

    <rdfs:comment>This is the identifier domain for NIST CPE's</rdfs:comment>

    <homePage>http://theUrlDescribingCPEs</homePage>

    <domainRange rdf:resource="nistCpe:WhateverTheClassNameForCPE" />

</IdentifierDomain>

 

 

Let me know what you think.


Thanks,

Gary

 

From: kate.stew...@att.net [mailto:kate.stew...@att.net] 
Sent: Tuesday, July 28, 2015 7:29 PM
To: Gary O'Neall; spdx-tech@lists.spdx.org
Subject: Re: Proposal: Security and Asset Management Identifier

 

Thanks for the links,   interesting reading.

 

Here's the RDF for the ISO's SWID updated schema. 

 

http://standards.iso.org/iso/19770/-2/2015/schema.xsd



 

the part I'm advocating we provide the cross link to is:

 

<xs:attribute name="uniqueId" type="xs:string" use="optional" default="unknown">

<xs:annotation>

<xs:documentation>

Unique identifier that is unique, essentially (publisher)+(product)+(version)

</xs:documentation>

</xs:annotation>

</xs:attribute>

 

 

If you find the CPE RDF definition, I would be very interested in reviewing it.

 
Thanks, Kate

 

On Tuesday, July 28, 2015 11:56 AM, Gary O'Neall <g...@sourceauditor.com> wrote:

 

For the RDF section, I did a quick search and found some interesting research 
on representing the National Vulnerability Database (NVD) in the Semantic Web:

 

http://cs.utdallas.edu/semanticweb/NIST-NVD/Tech-Rep-NIST-NVD.pdf  - See page 
17 for a nice diagram on the ontology

http://scap.nist.gov/events/2009/itsac/presentations/day3/Day3_SCAPTech_Khadilkar_Rachapalli.pdf

 

>From a quick 5 minute browse of the document, it looks like they have created 
>an ontology for the CPE structure which we could leverage.  

 

Interestingly, they chose the same basic architecture and tools strategy for 
their project as we did for the SPDX tools including using Protégé for OWL.

 

If we want to use a common CPE RDF definition, I'll see if I can find the OWL 
document and propose an RDF set of classes and terms.

 

Gary

 

From: spdx-tech-boun...@lists.spdx.org 
[mailto:spdx-tech-boun...@lists.spdx.org] On Behalf Of kate.stew...@att.net
Sent: Tuesday, July 28, 2015 8:31 AM
To: spdx-tech@lists.spdx.org
Subject: Proposal: Security and Asset Management Identifier

 

Looks like my original send didn't make it through the filters...  resending.

 

---------- Forwarded message ----------
From: Kate Stewart <kstew...@linuxfoundation.org>
Date: Tue, Jul 28, 2015 at 7:49 AM
Subject: Proposal: Security and Asset Management Identifier
To: spdx-tech@lists.spdx.org

Hi, 

    
https://docs.google.com/document/d/1WfArS8_xR_CQ_5plOOMtj1y9ps5M-gXFjofUBXR8hyE/edit#
 
<https://docs.google.com/document/d/1WfArS8_xR_CQ_5plOOMtj1y9ps5M-gXFjofUBXR8hyE/edit>
 

 

    Has a proposal for security and assent management identifier for discussion 
in the tech team call later today.    There is also some background (with links 
to other references) for those who want to dig further. 

 

    This is being envisioned to be available at the SpdxItem level in the 
model, as an optional property. 

 

Looking forward to talking to you in a couple of hours.

 

Kate

 

 

   

 

    

 

 

 


_______________________________________________
Spdx-tech mailing list
Spdx-tech@lists.spdx.org
https://lists.spdx.org/mailman/listinfo/spdx-tech