Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Graphs.jl Integration #41

Open
nsajko opened this issue Jan 3, 2024 · 5 comments
Open

Graphs.jl Integration #41

nsajko opened this issue Jan 3, 2024 · 5 comments

Comments

@nsajko
Copy link

nsajko commented Jan 3, 2024

Each SPDX relationship seems to have a natural interpretation as the edge of a digraph (directed graph). Providing integration with the Graphs.jl package would be nice as it could make applying graph-theoretic tools to the SBOM very convenient.

Generating a representation for the SBOM in one of the usual graph formats like GML or GraphViz Dot would be nice. The representation could then be fed to an external program to visualize the SBOM as a digraph in 2D (using GraphViz) and 3D (using Graphia). Not completely sure, but I think you get GML and Dot export for free after integration with Graphs.jl.
@SamuraiAku
Copy link
Owner

@nsajko could you move this idea to SPDX.jl? That package implements the SPDX specification and is a better place for this concept. This package is focused on plumbing through Pkg and the registry to obtain the information to create the SBOM.

@nsajko
Copy link
Author

nsajko commented Jan 3, 2024

Fine by me, but I think you're the only one who can move the issue.

@SamuraiAku SamuraiAku transferred this issue from SamuraiAku/PkgToSoftwareBOM.jl Jan 3, 2024
@SamuraiAku SamuraiAku changed the title Graphs Graphs.jl Integration Jan 3, 2024
@SamuraiAku
Copy link
Owner

Done

@SamuraiAku
Copy link
Owner

Some notes for anyone who wants to try this and I hope I’m getting the terminology right…

  • The entire graph would describe an SpdxDocumentV2 object
  • The nodes of the graph are objects of types
    • SpdxPackageV2
    • SpdxFileV2
    • SpdxSnippetV2
    • an SpdxDocumentV2 contains vectors of these objects in the properties Packages, Files, and Snippets
  • the roots of the graph are documented in the property Relationships of the SpdxDocumentV2 object.
    • any relationship that in string form reads
    • SPDXRef-DOCUMENT DESCRIBES “objects SPDXID”
  • the connections between nodes (edges?) are also described in the Relationships property
    • most typical is a relationship of the form
    • SPDXID_A DEPENDENCY_OF SPDXID_B
    • The SPDX spec has a rather large set of relationships including identical ones but with the direction reversed (A DEPENDENCY_OF B, B DEPENDS_ON A), but just focusing on just this one relationship to start takes care of a lot of the real world usage.

@SamuraiAku
Copy link
Owner

And when the SBOM is created in PkgToSoftwareBOM.jl any artifacts have the relationship:
A RUNTIME_DEPENDENCY_OF B

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nsajko @SamuraiAku