ossf / security-reviews

A community collection of security reviews of open source software components.
https://openssf.org
92 stars 26 forks source link

YAML vs. JSON for Metadata #17

Closed scovetta closed 3 years ago

scovetta commented 3 years ago

We should decide on the format for the metadata. Options are YAML or JSON. Here are what they would look like:

YAML

---
Publication-State: active
Reviewers:
- Name: Michael Scovetta
  Email: michael.scovetta@microsoft.com
  Organization: Microsoft
  Associated-With-Project: true
  Compensation-Source: None
Domain: Security
Methodology:
- Static-Analysis
- Code-Review
- Web-Search
Issues-Identified:
- None
Package-URLs:
- pkg:npm/left-pad@1.2.0
- pkg:npm/left-pad@1.3.0
Date-Reviewed: '2021-02-01'
Scope: Implementation/Full
Schema-Version: '1.0'
SPDX-License-Identifier: CC-BY-4.0

JSON

{
    "Publication-State": "active",
    "Reviewers": [
        {
            "Name": "Michael Scovetta",
            "Email": "michael.scovetta@microsoft.com",
            "Organization": "Microsoft",
            "Associated-With-Project": true,
            "Compensation-Source": "None"
        }
    ],
    "Domain": "Security",
    "Methodology": [
        "Static-Analysis",
        "Code-Review",
        "Web-Search"
    ],
    "Issues-Identified": [
        "None"
    ],
    "Package-URLs": [
            "pkg:npm/left-pad@1.2.0",
            "pkg:npm/left-pad@1.3.0"
    ],
    "Date-Reviewed": "2021-02-01",
    "Scope": "Implementation/Full",
    "Schema-Version": "1.0",
    "SPDX-License-Identifier": "CC-BY-4.0"
}

Since these both convey the same information, I don't know how important this decision is, but if anyone has strong opinions, please comment on this thread and we'll go with the majority opinion.

Differences:

scovetta commented 3 years ago

I've changed the template to reflect JSON, but we can go back if we want to. I'll leave this issue open so we can settle on it.

scovetta commented 3 years ago

Sorry, I keep going back and forth on this. It's YAML, and I'm closing this issue. :-)