Norio, Thanks for your response.
I refer you to the SPDX V2.3 spec for externalRef SECURITY https://spdx.github.io/spdx-spec/v2.3/package-information/#721-external-refe rence-field and https://spdx.github.io/spdx-spec/v2.3/external-repository-identifiers/#f23-a dvisory Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council - A Public-Private Partnership Never trust software, always verify and report! T http://www.reliableenergyanalytics.com Email: [email protected] Tel: +1 978-696-1788 -----Original Message----- From: [email protected] <[email protected]> On Behalf Of Norio Kobota Sent: Tuesday, March 14, 2023 7:51 PM To: [email protected] Cc: [email protected] Subject: Re: [spdx-tech] SPDX v2.3 JSON schema diagram Hello Dick, Thank you for pointing out. I added the figure of externalDocumentRefs. https://qiita.com/nori0428/items/b1892da6bd30ed6efff4#externaldocumentrefs And as far as I've checked the current schema, https://github.com/spdx/spdx-spec/blob/development/v2.3.1/schemas/spdx-schem a.json#L74-L110 there seems not to be any specifications for the SECURITY advisory object. e.g. referenceCategory, referenceLocator etc. I would appreciate it if you could check it. Best, -- kobota > -----Original Message----- > From: Dick Brooks <[email protected]> > Sent: Tuesday, March 14, 2023 9:04 PM > To: Kobota, Norio (SGC) <[email protected]>; > [email protected] > Subject: RE: [spdx-tech] SPDX v2.3 JSON schema diagram > > Norio, > > This is excellent work, thank you. > > I did not see the externalRefs SECURITY advisory object in the model, > see Appendix K for examples; INVALID URI REMOVED > -use/*k19-linking-to-an-sbom-vul__;Iw!!JmoZiZGBv3RvKRSx!-nI2uaq8rF6w > NOr1nmwq32AvUbf_gNeombvCh7b_ZDJvYU_whzhuRwi7UPL8-NVOj5M-in5j > vR2ZVmb5pxbxWMKgBBY$ [spdx[.]github[.]io] > nerability-report-for-a-software-product-per-nist-executive-order-1402 > 8 > > > Thanks, > > Dick Brooks > > Active Member of the CISA Critical Manufacturing Sector, Sector > Coordinating Council - A Public-Private Partnership > > Never trust software, always verify and report! T > http://www.reliableenergyanalytics.com > oZiZGBv3RvKRSx!-nI2uaq8rF6wNOr1nmwq32AvUbf_gNeombvCh7b_ZDJvYU > _whzhuRwi7UPL8-NVOj5M-in5jvR2ZVmb5pxbxLj9eBQM$ [reliableenergyana > lytics[.]com] > Email: [email protected] > Tel: +1 978-696-1788 > > -----Original Message----- > From: [email protected] <[email protected]> On Behalf Of > Norio Kobota > Sent: Tuesday, March 14, 2023 5:17 AM > To: [email protected] > Subject: [spdx-tech] SPDX v2.3 JSON schema diagram > > Dear SPDX tech communities, > > Thank you for providing a lot of useful documents about SPDX! > We, OpenChain Japan SBOM-sg members, illustrated the v2.3 JSON schema > a little easier to see. > INVALID URI REMOVED > 0ed6efff4__;!!JmoZiZGBv3RvKRSx!-nI2uaq8rF6wNOr1nmwq32AvUbf_gNeom > bvCh7b_ZDJvYU_whzhuRwi7UPL8-NVOj5M-in5jvR2ZVmb5pxbxk2ApmFU$ [ > qiita[.]com] I hope you can check it and let me ask a question. > We assume that v3.0 is also slightly different in model and > implementation, so are there any discussions that are considering JSON schema for v3.0? > > Best regards, > -- kobota @ OpenChain JWG SBOM-sg > > > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5039): https://lists.spdx.org/g/Spdx-tech/message/5039 Mute This Topic: https://lists.spdx.org/mt/97600265/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
