search

spdx / spdx-spec

The SPDX specification in MarkDown and HTML formats.
https://spdx.github.io/spdx-spec/
Other
288 stars 137 forks source link

Adds Annex for the Lite profile #907

Closed NorioKobota closed 5 months ago

NorioKobota commented 5 months ago

Adds the explanation for the Lite profile as Annex.

NorioKobota commented 5 months ago

@goneall, @kestewart
Thanks for the review. I have a question to @goneall.

The simplest option IMHO is rootElement.

The SpdxDocument class has rootElement in this PR, but does the Sbom class also should have rootElement? Or does that mean rootElement in the SpdxDocument class should be 1..1?

Based on this JSON-LD sample, I think it's enough to have rootElement in SpdxDocument..

goneall commented 5 months ago

@goneall, @kestewart Thanks for the review. I have a question to @goneall.

The simplest option IMHO is rootElement.

The SpdxDocument class has rootElement in this PR, but does the Sbom class also should have rootElement? Or does that mean rootElement in the SpdxDocument class should be 1..1?

Based on this JSON-LD sample, I think it's enough to have rootElement in SpdxDocument..

Very good point about the SBOM.

I'm thinking that in a Lite document the document root element should point to the SBOM element collection and the SBOM root element should point to the package. Perhaps make them both required and add some documentation on the best practice for what these fields should contain?