This PR implements one possible data model to support SPDX 3, along with functional JSON serialization / deserialization. There are sure to be some rough edges!
The easiest way to understand what usage looks like is to check out the tests -- they perform some basic document creation, along with serializing, deserializing, and re-serializing to verify the documents are the same.
A few rough edges with SPDX 3 in general seem to be:
all elements are required to have a creation Info; this PR includes a feature during JSON serialization to set all elements creation info if it is unset, I don't know if this is a great idea but it would make things a lot easier to deal with...
all SPDX elements must have an spdxId; I also added a way to do this prior to serialization
it could be possible to have multiple SPDX document objects in the same json document
having an SPDX document and an SBOM independently is somewhat confusing
there's a chicken-and-egg problem between creation info and agent, where both are required and both reference each other, so some helper as I've implemented here would probably be good; maybe it should take different information
This PR does not add anything in the way of data validation, so it is probably pretty easy to create invalid documents. How to handle this is TBD.
This PR also does not add any conversion functionality to/from older versions of SPDX.
This PR implements one possible data model to support SPDX 3, along with functional JSON serialization / deserialization. There are sure to be some rough edges!
The easiest way to understand what usage looks like is to check out the tests -- they perform some basic document creation, along with serializing, deserializing, and re-serializing to verify the documents are the same.
A few rough edges with SPDX 3 in general seem to be:
This PR does not add anything in the way of data validation, so it is probably pretty easy to create invalid documents. How to handle this is TBD.
This PR also does not add any conversion functionality to/from older versions of SPDX.
Feedback requested!