search

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
139 stars 38 forks source link

Add a schema identifier to CSAF v2.1 and later data files #616

Open sthagen opened 1 year ago

sthagen commented 1 year ago

Proposal

Add a schema identifier to CSAF v2.1 (and later) data files with a MAY (to minimize backward incompatibility for strict CSAF v2.0 files which are not allowed to carry extra keys)

Ideally this should be simply something like SARIF does with a $schema key and a value of type URL. Example of such a SARIF file: 

{
  "version": "2.1.0",
  "$schema": "https://docs.oasis-open.org/sarif/sarif/v2.1.0/os/schemas/sarif-schema-2.1.0.json",
...

The canonical value will be the matching eternal schema URL hosted at docs.oasis-open.org

Rationale

Currently the consumer of CSAF files has to know what schema they relate to.

santosomar commented 7 months ago

Thomas Schmidt proposed a motion, as detailed in this OASIS mailing list archive, to incorporate a schema identifier into CSAF v2.1 and subsequent data files, in line with the suggestion made in this GitHub issue. Thomas Schaffer seconded the motion. There were no discussions or objections raised, and consequently, the motion was automatically passed on November 1, 2023, at 20:00 UTC.