Analyze Existing SPDX Examples

[augelu-tng]

The SPDX specification is very generic. It is possible to do things in multiple ways. To ensure consistency, best practices from other projects should be reviewed and adopted when structuring the SPDX document for this project.

spdx-examples/example4
2 C files compiled with gcc
example4-src.json

flowchart TD
    %% Nodes with IDs
    Doc["SPDXDocument: main-src (17)"]
    Pkg["Package: main-src (4)"]
    File1["File: ./lib.c (6)"]
    File2["File: ./Makefile (11)"]
    File3["File: ./main.c (17)"]
    License1["License: BSD-3-Clause (8)"]
    License2["License: GPL-3.0-or-later (14)"]
    License3["License: (BSD-3-Clause AND GPL-3.0-or-later) (21)"]
    License4["License: CC0-1.0 (23)"]
    Tool1["Tool: builder (1)"]
    Tool2["Tool: idsearcher (2)"]

    %% Relationships
    Doc -->|"describes"| Pkg
    Doc -->|"rootElement"| Pkg
    Pkg -->|"contains"| File1
    Pkg -->|"contains"| File2
    Pkg -->|"contains"| File3
    Pkg -->|"usesTool build"| File2
    File1 -->|"hasConcludedLicense"| License1
    File1 -->|"hasDeclaredLicense"| License1
    File2 -->|"hasConcludedLicense"| License2
    File2 -->|"hasDeclaredLicense"| License2
    File3 -->|"hasConcludedLicense"| License2
    File3 -->|"hasDeclaredLicense"| License2
    Pkg -->|"hasConcludedLicense"| License3
    Pkg -->|"hasDeclaredLicense"| License2

Loading

• SpdxDocument describes Package and has the Package as rootElement
  --> In our case Software/Sbom is between SpdxDocument and Package. But Sbom should then describe and have the Package as rootElement.
• Package is named main-src even though there is no directory or file that is named main-src
  --> Package name can be arbitrary
• Package has concluded License BSD-3-Clause AND GPL-3.0-or-later but declared License only BSD-3-Clause
  --> Why?
• Files have concluded and declared License according to their SPDX License headers.
  --> We can read each files SPDX License header and create both the hasConcludedLicense and hasDeclaredLicense Relationships for each file.

example4-bin.json

flowchart TD
    %% SPDX Document and Tools
    Doc["SPDXDocument: main-bin (0)"]
    Tool1["Tool: github.com/spdx/tools-golang/builder (1)"]
    Tool2["Tool: github.com/spdx/tools-golang/idsearcher (2)"]
    Creator["Person: Steve Winslow (0)"]

    %% Packages
    PkgMain["Package: main-bin (4)"]
    PkgLibDL["Package: libdl (8)"]
    PkgLibC["Package: libc (16)"]

    %% Files
    FileMain["File: ./main (6)"]
    FileLibSO["File: ./lib.so (24)"]
    FileDL["File: libdl.so.2 (12)"]
    FileC["File: libc.so.6 (19)"]

    %% Licenses
    LicNOA["License: NOASSERTION (11)"]
    LicBSD["License: BSD-3-Clause (28)"]
    LicGPL["License: GPL-3.0-or-later (31)"]
    LicCombo["License: (BSD-3-Clause AND GPL-3.0-or-later) (35)"]
    LicCC0["License: CC0-1.0 (37)"]

    %% Relationships: Document structure
    Doc -->|"describes"| PkgMain
    Doc -->|"rootElement"| PkgMain
    Doc -->|"usesTool"| Tool1
    Doc -->|"usesTool"| Tool2
    Doc -->|"createdBy"| Creator
    Doc -->|"dataLicense"| LicCC0

    %% Relationships: Package contains files
    PkgMain -->|"contains"| FileMain
    PkgMain -->|"contains"| FileLibSO

    %% Licenses of packages
    PkgMain -->|"hasConcludedLicense"| LicCombo
    PkgMain -->|"hasDeclaredLicense"| LicNOA

    %% Licenses of libdl package
    PkgLibDL -->|"hasConcludedLicense"| LicNOA
    PkgLibDL -->|"hasDeclaredLicense"| LicNOA
    PkgLibDL -->|"hasDistributionArtifact"| FileDL

    %% Licenses of libc package
    PkgLibC -->|"hasConcludedLicense"| LicNOA
    PkgLibC -->|"hasDeclaredLicense"| LicNOA
    PkgLibC -->|"hasDistributionArtifact"| FileC

    %% Licenses of files
    FileMain -->|"hasConcludedLicense"| LicGPL
    FileMain -->|"hasDeclaredLicense"| LicNOA
    FileLibSO -->|"hasConcludedLicense"| LicBSD
    FileLibSO -->|"hasDeclaredLicense"| LicNOA

    %% Dynamic links and dependencies
    FileMain -->|"dependsOn (runtime)"| PkgLibDL
    FileMain -->|"dependsOn (runtime)"| PkgLibC
    FileMain -->|"dependsOn (runtime)"| FileLibSO

    PkgLibDL -->|"hasDynamicLink"| FileMain
    PkgLibC -->|"hasDynamicLink"| FileMain
    FileLibSO -->|"hasDynamicLink"| FileMain

    %% External generation relationships
    ExtMain["DocumentRef-main-src: main-src"]
    ExtLib["DocumentRef-main-src: lib-src"]

    ExtMain -->|"generates"| FileMain
    ExtLib -->|"generates"| FileLibSO

Loading

• SpdxDocument main-bin has dataLicense CC0-1.0 as direct child element (no Relationship)
  --> License for the spdx document. What would we use here?
• Package main-bin has concludedLicense BSD-3-Clause AND GPL-3.0-or-later but no declared License
  --> Declared License of build artifacts is always NOASSERTION. Concluded License is the union of all Licenses of any source files used to generate the build artifact.
• The two "generates" Relationships refer to external elements, e.g., https://swinslow.net/spdx-examples/example4/main-src-v2#SPDXRef-main-src. However, the namespace in example4-src.json is https://swinslow.net/spdx-examples/example4/main-src-v2-specv3, i.e. with an additional -specv3 suffix. Also the term SPDXRef-main-src does not appear in the example4-src.json. Do the two example files maybe not match or is this intended?

Renode Zephy Dashboard (96b_carbon_stm32f401xe)

Note: Tested SPDX Online Tools but they were not very useful. The visualization stacks each node on top of each other such that one has to order the graph nodes by hand before any meaningful analysis is possible. Also the converter failed to convert the Renode Zephy Dashboard examples to v3 json-ld. It was able to convert it to v2 Json but this is not visualizable by the visualizer.