west: spdx: introduce support for SPDX 2.3

[kartben]

Minor update to existing zspdx implementation to add support for PrimaryPackagePurpose introduced in SPDX 2.3.

[kartben]

cc @tgagneret-embedded

[tgagneret-embedded]

Should we support SPDX 2 and 3 at the same time in the beginning (before "all" tooling are compatibles) ?

One interesting feature of SPDX3 for me is "Build Profile". An example of something interesting to add would be the west build command maybe ? What do you think ?

https://spdx.github.io/spdx-spec/v3.0/model/Build/Classes/Build/

[kartben]

Should we support SPDX 2 and 3 at the same time in the beginning (before "all" tooling are compatibles) ?

+1. There is already still some work to do to make sure that current tools have all they need to really be useful (hence your work on external references, or this PR to catch up with latest SPDX2 features) so dropping 2 in favour of 3 would certainly be premature!

[goneall]

Took a quick look at the changes and all look good to me.

In terms of supporting SPDX 3 - I would strongly encourage moving to the tools-python library.. This would make it easier to implement future updates.

[tgagneret-embedded]

I think this a good idea, however I don't know the policy of Zephyr about external python libraries. I don't know who we can ask this ?

[kartben]

I think this a good idea, however I don't know the policy of Zephyr about external python libraries. I don't know who we can ask this ?

As the SPDX tools-python library is Apache 2.0, there won't be more to do than just add it to the requirements.txt as part of whatever PR will be adding support for SPDX 3 :)

[kartben]

@mbolivar-ampere will you have a chance to review? If not, I would suggest re-assigning to @nashif or @tejlmand
Thanks!

[tgagneret-embedded]

so dropping 2 in favour of 3 would certainly be premature!

Do you plan to merge this PR in main now ? Should we create a new branch to put all SPDX 2.3 modification ?
Should we add the support of tools-python library before merging this PR ? Do we need to evaluate the library first (before creating the PR) ?

Did you try cve-bin-tool ? Is it compatible with SPDX 2.3 ?

Thank you

[kartben]

so dropping 2 in favour of 3 would certainly be premature!

Do you plan to merge this PR in main now ? Should we create a new branch to put all SPDX 2.3 modification ?
Should we add the support of tools-python library before merging this PR ? Do we need to evaluate the library first (before creating the PR) ?

I think you might be mixing up SPDX 2.3 and SPDX 3.0? I tried to clarify in earlier comments but it looks like there might still be confusion :)
SPDX 2.3 really is a minor evolution to 2.2 and this PR is addressing the main "actual" improvement in 2.3 which is the addition of Primary Package Purpose https://spdx.github.io/spdx-spec/v2.3/diffs-from-previous-editions/

In case you are not mixing up 2.3 and 3.x, are you suggest that it is necessary we look at other 2.3 changes before merging this PR? Or that we should keep an option for folks to decide whether the want 2.2 or 2.3 (and later 3.0 :-)) SBOMs? I didn't feel it was worth the effort but could underdtand it if people would want that.
FWIW the tools-python library is supporting 2.3 just fine!

Did you try cve-bin-tool ? Is it compatible with SPDX 2.3 ?

It is, yes! It is actually part of my talk/demo at Zephyr Developer Summit next this week - are you attending by any chance @tgagneret-embedded?

[tgagneret-embedded]

You are totally right I mixed it up.
Thanks for the clarification.

Unfortunately I won't be attending, but I'll certainly catch up on your presentation later on.