Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adds Annex for the Lite profile #907

Merged
merged 3 commits into from
Apr 14, 2024
Merged

Adds Annex for the Lite profile #907

merged 3 commits into from
Apr 14, 2024

Conversation

NorioKobota
Copy link
Contributor

Adds the explanation for the Lite profile as Annex.

kestewart
kestewart approved these changes Apr 12, 2024
View reviewed changes
Copy link
Contributor

@kestewart kestewart left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for all the hard work in getting this pulled together.

This looks good to me, but I'd like either Rose, Gary or Alexios to review as well.

@kestewart kestewart added this to the 3.0 milestone Apr 12, 2024
goneall
goneall requested changes Apr 13, 2024
View reviewed changes
Copy link
Member

@goneall goneall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall, this looks quite good.

I do have one suggested change:

To process an SPDX Lite document, we'll need to know where to start - what package the Lite document is describing.

There are 2 options on SPDX 3.0:

  • a relationship of type describes between the SPDX document and the package
  • rootElement property

The simplest option IMHO is rootElement. For the Lite profile, I would suggest making this property required (cardinality 1..1) and have the package element be the value for the property.

@NorioKobota
Copy link
Contributor Author

@goneall, @kestewart
Thanks for the review. I have a question to @goneall.

The simplest option IMHO is rootElement.

The SpdxDocument class has rootElement in this PR, but does the Sbom class also should have rootElement? Or does that mean rootElement in the SpdxDocument class should be 1..1?

Based on this JSON-LD sample, I think it's enough to have rootElement in SpdxDocument..

@goneall
Copy link
Member

goneall commented Apr 13, 2024

@goneall, @kestewart Thanks for the review. I have a question to @goneall.

The simplest option IMHO is rootElement.

The SpdxDocument class has rootElement in this PR, but does the Sbom class also should have rootElement? Or does that mean rootElement in the SpdxDocument class should be 1..1?

Based on this JSON-LD sample, I think it's enough to have rootElement in SpdxDocument..

Very good point about the SBOM.

I'm thinking that in a Lite document the document root element should point to the SBOM element collection and the SBOM root element should point to the package. Perhaps make them both required and add some documentation on the best practice for what these fields should contain?

goneall
goneall approved these changes Apr 14, 2024
View reviewed changes
Copy link
Member

@goneall goneall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM - Thanks @NorioKobota

@kestewart kestewart merged commit 2fe4356 into spdx:development/v3.0 Apr 14, 2024
3 checks passed
@NorioKobota NorioKobota deleted the lite-profile branch May 29, 2024 00:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kestewart kestewart kestewart approved these changes

@goneall goneall goneall approved these changes

@zvr zvr Awaiting requested review from zvr

@rnjudge rnjudge Awaiting requested review from rnjudge

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
3.0
Development

Successfully merging this pull request may close these issues.
3 participants
@NorioKobota @goneall @kestewart