I experimented with something around identities and I'm really liking the 
simplicity, so I wanted to run it by you to get your thoughts:

  *   We keep "Identity" element with subclasses of "Person" and "Organization" 
(I'm ignoring "Tool" for right now).
  *   Introduce a new data type "Identifier" which could have subtypes like 
"EmailAddress" and "Login".
  *   Add a property to "Element" called "identifiedBy" which is a list of zero 
or more "Identifier".

This means we can have a Person that looks like this:

{
  "SPDXID": "urn:github.com:users:iamwillbar",
  "type": "Person",
  "name": "William Bartholomew",
  "identifiedBy": [
    {"type": "EmailAddress", "email": "[email protected]"},
    {"type": "Account", "authority": "github.com", "username": "iamwillbar"}
  ]
}

This then got me thinking that "artifactUrl" on "Artifact" is just another form 
of "Identifier", which means we could remove that property and so a "Package" 
could look like this:

{
  "SPDXID": "urn:spdx.dev:spdx-tools-3.0.0",
  "name": "spdx-tools-3.0.0",
  "identifiedBy": [
    {"type": "PURL", "locator": "pkg:..."}
  ]
}

What does that remind you of? "ExternalReferences", so we can then remove those 
and merge that concept into identifiers:

{
  "SPDXID": "urn:spdx.dev:spdx-tools-3.0.0",
  "name": "spdx-tools-3.0.0",
  "identifiedBy": [
    {"type": "PURL", "locator": "pkg:..."},
    {"type": "cpe22", "locator": "..."},
    {"type": "SWHID", "locator": "..."}
  ]
}

And because "identifiedBy" is on "Element" any new types we add in the future 
can also have identifiers attached to them:

{
  "SPDXID": "urn:cve:12345",
  "name": "tkvideo has a memory issue in playing videos",
  "identifiedBy": [
    {"type": "CVE", "locator": "CVE-2022-24902"}
  ]
}

What do you all think?


Sent from Outlook<http://aka.ms/weboutlook>


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4493): https://lists.spdx.org/g/Spdx-tech/message/4493
Mute This Topic: https://lists.spdx.org/mt/91005596/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-


Reply via email to