[spdx-tech] No Array root

Tue, 09 Aug 2022 11:35:08 -0700 

William,

I typed in the SBOM example from the model diagram.
I then modified it to move the element of type SBOM from the beginning to
the array of elements.

Neither the original nor the modified JSON-LD serialized file has an
element of type SpdxDocument containing statements about the serialized
file.  This is good :-).  But if in addition to the three elements (SBOM,
Person, Package) there were a fourth SpdxDocument element, it would replace
and eliminate the need for ExternalMap by providing URL, elements, and
verification information, simplifying the model.

Neither the original nor the modified file has an array as root.  In
example2 the root object still has creation/default properties, and it has
external elements, and it has element values.  The difference is that the
element values are all serialized together.  There is no need for a special
rule that you can nest values one level deep, because there is no nesting
at all.

Question: Is the second file a valid serialization?  Is there any reason to
use a special nested JSON-LD serialization instead of keeping all the
elements together in an array?

Original:
{
  SBOM: ...
  creationInfo: ...
  externalMap: ...
  elements: [
    Person: ...
    Package: ...
  ]
}

Modified, Not nested:
{
  creationInfo: ...
  externalMap: ...
  elements: [
    SBOM: ...
    Person: ...
    Package: ...
  ]
}

In my opinion, it is clearer to always say "this file contains these 3
elements", instead of saying "this file contains this element and two other
elements nested inside it".  When hashing the SBOM element the hash doesn't
cover other elements - this is more obvious when one SBOM contains another
SBOM where the second isn't nested two levels deep.

Regards,
David


-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4731): https://lists.spdx.org/g/Spdx-tech/message/4731
Mute This Topic: https://lists.spdx.org/mt/92921289/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Attachment: sbom-example.json
Description: application/json

Attachment: sbom-example2.json
Description: application/json

Reply via email to