Re: SPDX Data Fields in Open Embedded

Re: SPDX Data Fields in Open Embedded

[Joshua Watt]

[-- Attachment #1.1: Type: text/plain, Size: 1660 bytes --]

On Wed, Oct 6, 2021 at 9:44 AM Christopher Lusk <clusk@lenovo.com> wrote:

> Hello all,
>
>
>
> I am reaching out to inquire about an issue I have experienced as it
> relates to SPDX output from the oe-core build process and specifically the
> create-spdx.bbclass output.  The data fields in the output that I have
> produced do not line up with the SPDX data field standards (see below) set
> forth by the Linux Foundation.
>
>
>
> My question is if there are plans to update the create-spdx code so that
> the output fields align with those set forth by both NTIA and Linux
> Foundation?
>
>
>
> *SPDX Mapped Field*
>
> PackageSupplier:
>
> PackageName:
>
> PackageVersion:
>
> SPDXID:
>
> Relationship: CONTAINS
>
> Creator:
>
> PackageChecksum:
>
>
>

Can you be a little more specific and possibly provide examples of what you
are expecting to see and what it is actually generating? We are trying to
adhere to the SPDX spec, but it is possible there is something we
misinterpreted or are doing incorrectly.


> Source -
> https://www.ntia.gov/files/ntia/publications/ntia_sbom_formats_and_standards_whitepaper_-_version_20191025.pdf
>
>
>
> Thanks.
> ------------------------------
>
> *Christopher D. Lusk*
> Product Security Analyst
> Product Security Office
> Lenovo
>
>
> [image: Email]clusk@lenovo.com
>
>
>
> Lenovo.com <http://www.lenovo.com/>
> Twitter <http://twitter.com/lenovo> | Instagram
> <https://instagram.com/lenovo> | Facebook <http://www.facebook.com/lenovo>
>  | Linkedin <http://www.linkedin.com/company/lenovo> | YouTube
> <http://www.youtube.com/lenovovision> | Privacy
> <https://www.lenovo.com/gb/en/privacy-selector/>
>
>
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 10003 bytes --]

[-- Attachment #2: image001.gif --]
[-- Type: image/gif, Size: 128 bytes --]

[-- Attachment #3: image002.png --]
[-- Type: image/png, Size: 18448 bytes --]

Re: [External] Re: SPDX Data Fields in Open Embedded

[Joshua Watt]

[-- Attachment #1: Type: text/plain, Size: 7499 bytes --]


On 10/6/21 1:51 PM, Christopher Lusk wrote:
>
> Below you will find a sample of the output that I am generating using 
> the create-spdx.bbclass found within oe-core and layers like 
> meta-doubleopen:
>
> Sample output:
>
> Text Description automatically generated with medium confidence
>
> The data field names do not match up with those set forth by the Linux 
> Foundation for SPDX output related to SBOMs (below), i.e. name should 
> appear as PackageName and version information would appear as 
> PackageVersion instead of the versionInfo  shown above.
>
Those fields are when the SPDX document is in "tag" format. We chose to 
write our documents in JSON format because it is much easier to deal 
with programmatically. Even though the JSON format is not described in 
the SPDX documentation, my understanding is that it is an allowed format 
(you can find the schema here: 
https://github.com/spdx/spdx-spec/blob/development/v2.2.2/schemas/spdx-schema.json), 
and most of the SPDX tools are able to handle JSON input as well.


If you really want tag format, I believe there are SPDX tools that can 
convert from JSON to tag format for you


> In addition to this, I was curious to know if there are plans to 
> update the Yocto where SPDX output would map to and populate all data 
> fields related to the NTIA’s minimum and recommended fields for an 
> SBOM 
> (https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf 
> <https://www.ntia.doc.gov/files/ntia/publications/sbom_minimum_elements_report.pdf>)? 
>
>

We have a large amount of SBOM information that we can provide, and I 
think we would like to eventually make it possible to include all of it. 
I cannot say whether that is a sufficient amount of information to 
satisfy any particular government or organization requirements. Someone 
would need to perform an evaluation of each particular set of 
requirements, and ideally share the results back with us.


I am unaware if anyone has evaluated that *specific* document to see if 
what we produce would satisfy the requirements listed there (if they 
have, perhaps they can chime in). If that is something you have interest 
in, you might consider doing that evaluation and sharing it with us; 
from there we can determine what the next steps might be if there are 
areas where we are deficient.


> Thanks.
>
> ------------------------------------------------------------------------
>
> *Christopher D. Lusk*
> Product Security Analyst
> Product Security Office
> Lenovo
>
> 	
>
>
> Emailclusk@lenovo.com <mailto:clusk@lenovo.com>
>
> Lenovo.com <http://www.lenovo.com/>
> Twitter <http://twitter.com/lenovo>|Instagram 
> <https://instagram.com/lenovo>|Facebook 
> <http://www.facebook.com/lenovo>|Linkedin 
> <http://www.linkedin.com/company/lenovo>|YouTube 
> <http://www.youtube.com/lenovovision>|Privacy 
> <https://www.lenovo.com/gb/en/privacy-selector/>
>
> 	
>
> 	
>
> *From:* Joshua Watt <jpewhacker@gmail.com>
> *Sent:* Wednesday, October 6, 2021 10:56 AM
> *To:* Christopher Lusk <clusk@lenovo.com>
> *Cc:* openembedded-core@lists.openembedded.org
> *Subject:* [External] Re: SPDX Data Fields in Open Embedded
>
> On Wed, Oct 6, 2021 at 9:44 AM Christopher Lusk <clusk@lenovo.com 
> <mailto:clusk@lenovo.com>> wrote:
>
>     Hello all,
>
>     I am reaching out to inquire about an issue I have experienced as
>     it relates to SPDX output from the oe-core build process and
>     specifically the create-spdx.bbclass output.  The data fields in
>     the output that I have produced do not line up with the SPDX data
>     field standards (see below) set forth by the Linux Foundation.
>
>     My question is if there are plans to update the create-spdx code
>     so that the output fields align with those set forth by both NTIA
>     and Linux Foundation?
>
>     *SPDX Mapped Field*
>
>     PackageSupplier:
>
>     PackageName:
>
>     PackageVersion:
>
>     SPDXID:
>
>     Relationship: CONTAINS
>
>     Creator:
>
>     PackageChecksum:
>
> Can you be a little more specific and possibly provide examples of 
> what you are expecting to see and what it is actually generating? We 
> are trying to adhere to the SPDX spec, but it is possible there is 
> something we misinterpreted or are doing incorrectly.
>
>     Source -
>     https://www.ntia.gov/files/ntia/publications/ntia_sbom_formats_and_standards_whitepaper_-_version_20191025.pdf
>     <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ntia.gov%2Ffiles%2Fntia%2Fpublications%2Fntia_sbom_formats_and_standards_whitepaper_-_version_20191025.pdf&data=04%7C01%7Cclusk%40lenovo.com%7Cbdb17ccb86184605f9cb08d988d96584%7C5c7d0b28bdf8410caa934df372b16203%7C1%7C0%7C637691289675514957%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=SSFfnZyYjwTHpOiNK7tcoxQ4Yhy1PGUlE0PhQlrhdYE%3D&reserved=0>
>
>     Thanks.
>
>     ------------------------------------------------------------------------
>
>     *Christopher D. Lusk*
>     Product Security Analyst
>     Product Security Office
>     Lenovo
>
>     	
>
>
>     Emailclusk@lenovo.com <mailto:clusk@lenovo.com>
>
>     Lenovo.com <http://www.lenovo.com/>
>     Twitter
>     <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Ftwitter.com%2Flenovo&data=04%7C01%7Cclusk%40lenovo.com%7Cbdb17ccb86184605f9cb08d988d96584%7C5c7d0b28bdf8410caa934df372b16203%7C1%7C0%7C637691289675514957%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=MQ%2BN6B3o9Wb7xBXpiz2pw%2B4FjqKEPQ9d7CUzrhYadsk%3D&reserved=0>|Instagram
>     <https://apc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Finstagram.com%2Flenovo&data=04%7C01%7Cclusk%40lenovo.com%7Cbdb17ccb86184605f9cb08d988d96584%7C5c7d0b28bdf8410caa934df372b16203%7C1%7C0%7C637691289675524920%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=pkt6VXw51nW7eKxiGFgM3sDBfa%2Bbp9KQDe0fDpjyo%2FY%3D&reserved=0>|Facebook
>     <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.facebook.com%2Flenovo&data=04%7C01%7Cclusk%40lenovo.com%7Cbdb17ccb86184605f9cb08d988d96584%7C5c7d0b28bdf8410caa934df372b16203%7C1%7C0%7C637691289675524920%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=SSQrE%2BtzY3IEs%2Fmdlyu49Dum1d6%2BfMSN3IGaS72to40%3D&reserved=0>|Linkedin
>     <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.linkedin.com%2Fcompany%2Flenovo&data=04%7C01%7Cclusk%40lenovo.com%7Cbdb17ccb86184605f9cb08d988d96584%7C5c7d0b28bdf8410caa934df372b16203%7C1%7C0%7C637691289675534868%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=4YpV9mUkTRhb1OmxdTjScTttVntx5obeG1OD3z10iRM%3D&reserved=0>|YouTube
>     <https://apc01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.youtube.com%2Flenovovision&data=04%7C01%7Cclusk%40lenovo.com%7Cbdb17ccb86184605f9cb08d988d96584%7C5c7d0b28bdf8410caa934df372b16203%7C1%7C0%7C637691289675544819%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=6uSGD%2Frt%2Bm6Hgin%2FS7J6qoXJbzJS7lKQSxQ7spR6B%2BY%3D&reserved=0>|Privacy
>     <https://www.lenovo.com/gb/en/privacy-selector/>
>
>     	
>
>     	
>

[-- Attachment #2.1: Type: text/html, Size: 35963 bytes --]

[-- Attachment #2.2: image005.jpg --]
[-- Type: image/jpeg, Size: 52760 bytes --]

[-- Attachment #2.3: image001.gif --]
[-- Type: image/gif, Size: 128 bytes --]

[-- Attachment #2.4: image002.png --]
[-- Type: image/png, Size: 18448 bytes --]