On July 18 I emailed an example JSON array (not map) "spdx document" (transfer unit) containing six elements created by "Acme":
- two files
- one package
- one relationship between files and package
- one identity for the creator of the elements (Acme) - not the creator
of the package (Gnu)
- the sbom that is the collection of the other five elements
That is attached as transfer-unit-a.json. Notably, it does NOT include a
collection element that describes the transfer unit. The root of the
transfer unit is a single object that is not an element.
In the logical model it would be a DataType on the right side of the
diagram with something like the following structure:
TransferUnit = Record // Serialized collection of
Element values
1 namespace IRI // Default namespace for
Element ids in this file (rdf BASE)
2 namespaceMap NamespaceMap optional // Namespace abbreviations (rdf
PREFIX)
3 createdBy Link(Element) [1..*] // default: Link(Actor): set of
identifiers
4 created DateTime // default
5 specVersion SemVer // default
6 profiles ProfileIdentifier [1..*] // default
7 dataLicense LicenseId // default
8 elementValues Element [1..*] // Element values serialized in
this file (defined or copied)
9 spdxDocumentId Link(Element) optional // Optional SpdxDocument
element that describes this file
10 spdxDocumentRefs Link(Element) [0..*] // SpdxDocument elements that
describe referenced files
Next, "Baker" wants to create an SBOM that references elements defined in
Acme's SBOM. To do that, Baker needs to create an SpdxDocument element
that describes the transfer unit created by Acme.
Baker's transfer unit (transfer-unit-b.json) contains four element values:
- Baker's package (widget)
- Baker's id
- Baker's SBOM for widget, listing the four element IRIs in the SBOM
- baker package,
- baker id,
- acme package
- acme id
- Baker's SpdxDocument element describing Acme's transfer unit
If Acme created the first transfer unit to be used as a file, he would have
included an SpdxDocument element covered by Acme's signature. Instead, he
created the file for the sole purpose of uploading the six SBOM elements
into an Element Store. The file(s) used to perform the transfer are
irrelevant and don't need to be memorialized as SpdxDocument elements, and
the file(s) are discarded after the transfer is complete.
I'm still working on the software to split a transfer unit into individual
elements and combine individual elements into a transfer unit, so they
aren't guaranteed to be perfect. They should be close.
Regards,
David
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4698): https://lists.spdx.org/g/Spdx-tech/message/4698
Mute This Topic: https://lists.spdx.org/mt/92633860/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
transfer-unit-a.json
Description: application/json
transfer-unit-b.json
Description: application/json
