Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can one parse a JSON containing Elements extended by an unsupported / unknown profile? #42

Closed
maxhbr opened this issue Nov 5, 2022 · 3 comments
Closed

Can one parse a JSON containing Elements extended by an unsupported / unknown profile? #42

maxhbr opened this issue Nov 5, 2022 · 3 comments

Comments

@maxhbr
Copy link
Member

maxhbr commented Nov 5, 2022
edited
Loading

Hey, I have looked at the following example taken from the current png and I have a question related to it, regarding "one does not need to support every profile and just looses information that is not relevant".

{
  "@type": "SBOM",
  "@id": "urn:spdx.dev:null-sbom",
  "creationInfo": {
    "specVersion": "3.0",
    "created": "2022-05-02T20:28:00.000Z",
    "profile": ["core","software"],
    "dataLicense": "CC0",
    "createdBy": ["urn:spdx.dev:iamwillbar"]
  },
  "rootElements": ["urn:spdx.dev:spdx-tools-3.0.1"],
  "externalMap": [ <...> ],
  "elements": [ <...> ]
}

For this example lets assume that I do not have support for software profile. Since SBOM is basically a BOM I would assume that I still should be able to parse it (despite loosing some information, that is not relevant for me).

But how do I know that it is basically a BOM, the JSON does not contain that information?

(A rather ugly workaround would be to have something like "@type": "SBOM:BOM:Bundle:Collection:Element" in the serialization.)
@goneall
Copy link
Member

goneall commented Nov 5, 2022

@maxhbr Good question. This is very related to a long running debate on how to treat serialization level information in the document.

Parsing implies that there is a deserialization going on of something that was serialized - let's call that an SPDXDocument for the purpose of this comment.

If the SPDXDocument has creation information and that creation information would represent the intent of the SPDXDocument creator . The profile field in the SPDXDocument element could be used to guide the deserialization and would give you the answer in a very straightforward and high performance manner (e.g. you don't have to interpret each element and try to reverse engineer the profiles based on type etc.).

In the current model diagram - the "collection -> SpdxCollection?" class could be used for that purpose since it already contains information specific to the serialization.

This approach isn't as powerful as interpreting each individual element since each element could conceivably have a different profile, but I would find this approach to be rather difficult to implement.

@maxhbr
Copy link
Member Author

maxhbr commented Nov 6, 2022
edited
Loading

Parsing implies that there is a deserialization going on of something that was serialized - let's call that an SPDXDocument for the purpose of this comment.

Yes, the assumption is that a SBOM was serialized to a json and its abbreviated version is above.

If the SPDXDocument has creation information and that creation information would represent the intent of the SPDXDocument creator .

This creationInfo just contains "profile": ["core"], and nothing else. (Probably this is wrong and should be ["core", "software"] as it contains a SBOM. (->#43) ). But I do not see anything else that would help me to interpret the document.

@maxhbr maxhbr mentioned this issue Nov 6, 2022
Closed
@maxhbr
Copy link
Member Author

maxhbr commented Nov 22, 2022

another example:

There was the statement, that one can basically parse a SPDX document that implements an unknown profile by just skipping unknown properties.

Lets imagine a NPM profile that is unknown:
20221122_19h01m51s_grim

And a corresponding document (based on example in model) could look like:

{
  "@type": "SBOM",
  "@id": "urn:spdx.dev:null-sbom",
  "creationInfo": {
    "specVersion": "3.0",
    "created": "2022-05-02T20:28:00.000Z",
    "profile": ["core","software","NPM"],
    "dataLicense": "CC0",
    "createdBy": ["urn:spdx.dev:iamwillbar"]
  },
  "rootElements": ["urn:spdx.dev:spdx-tools-3.0.1"],
  "externalMap": [
    {"elementId": "urn:spdx.dev:project", "elementURL": "", "verifiedUsing": []},
    {"elementId": "urn:spdx.dev:doc", "elementURL": "https://spdx.dev/docs/v1.0.json", "verifiedUsing": [{@type: "Hash", }]}
  ],
  "elements": [
    {
      "@type": "NPMPackage",
      "@id": "urn:spdx.dev:time-0.12.0",
      "packagePurpose": "APPLICATION",
      "NpmHome": "https://www.npmjs.com/package/time",
      "downloadLocation": "https://spdx.dev/downlods/spdx-tools-3.0.1.tgz",
      "homePage": "https://spdx.dev/tools/3.0",
      "originator": ["urn:spdx.dev:project"],
      "externalIdentifiers": [
        {"type": "ExternalReference", "externalReferenceType": "purl", "locator": ""},
        {"type": "ExternalReference", "externalReferenceType": "cpe22", "locator": ""}
      ],
      "verifiedUsing": [
        {"type": "Hash", "hashAlgorithm": "SHA256", "hashValue": "..."}
      ]
    },
    {
      "@type": "PackageJSON",
      "@id": "...",
      "elements": ["urn:spdx.dev:time-0.12.0"],
      "lockFile": ...
    }
  ]
}

And as someone not knowing the NPM profile I am not able to parse the SBOM and get the software part without NPM out of that.

@maxhbr maxhbr closed this as completed Jan 31, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@goneall @maxhbr