Wip/hughsie/multiple identity json output

[orangecms]

Would it make sense to have the same structure that https://github.com/9elements/goswid uses for compatibility? It might need some coordination. Here's both goswid and this PR in comparison: https://gist.github.com/orangecms/03a6b228bad87d837c1b7a7bdf3c5b36

Those are differences I spot roughly:

• python-uswid prints the tag-version; not sure why it's 0 though, shouldn't it be 2 here?
• python-uswid uses an array for role, whereas goswid only has a single string for it
• goswid prints more information: rel for link, an additional link for compiler, and payload for the GCC tag

Another note: https://gotithub.com/veraison/swid is different at this point, it has much more properties in the structs. I put a third file in the gist for reference.

[hughsie]

python-uswid uses an array for role, whereas goswid only has a single string for it

This should certainly be an array, you can have multiple roles as an entity.

python-uswid prints the tag-version; not sure why it's 0 though, shouldn't it be 2 here?

Nah, if you include tag-version in the ini file then you get the data in the json too. revision != tag-version

goswid prints more information: rel for link

Hmm, I can't reproduce that; can you share what you're loading from please.

[CodingVoid]

• python-uswid uses an array for role, whereas goswid only has a single string for it

goswid prints it according to CoSWID specification. In the specification 'roles' are defined like this: entity-entry = { ... role => $role / [ 2* $role ], ... } which basically means that if you only have 1 role it's printed as as single string. once you have more of them it's an array. That kind of thing is done by most attributes in the spec.

[hughsie]

once you have more of them it's an array

Gah, is is stored as a single string in the CBOR as well?

[CodingVoid]

once you have more of them it's an array

Gah, is is stored as a single string in the CBOR as well?

yes

[hughsie]

yes

I can check what we're doing in the CBOR blob, but are you sure you want to do the auto-array reduction in the JSON output too? I think it would be much more concrete to just have an array any time that more than one value is allowed...

[CodingVoid]

The CoSWID Spec only defines CBOR format and the SWID ISO standard only defines XML. The JSON format is more like a nice little extra, because no one wants to write or look at a binary format and well XML sucks to parse and to write. Thing is, goswid currently allows an array with only a single element as well as a single element as input, but it will always output according to Spec. But JSON is not defined in the Spec. But I think it makes sense to apply the same rules to JSON, since CBOR and JSON are actually quite similar. So it at least keeps being consistent. But in any case it's best that we agree on how to export in JSON (be it exporting as array or single element), because I definitely don't want some weird option which tells goswid how to export JSON.

[hughsie]

I've added support for this in uswid (loading arrays of json, and also only writing a role string for json and uswid) -- and also https://github.com/fwupd/fwupd/pull/5189 -- apart from entity::role are there any others that I should be aware of?

[CodingVoid]

Well the rule is basically applied to almost anything that can be an array. More precisley you can just look in the spec (https://datatracker.ietf.org/doc/draft-ietf-sacm-coswid/) and search for "one-or-more" (which is the name of the CDDL rule)