Re: SPDX 3 and OE-core CycloneDX support
On 2/3/23 17:06, Richard Purdie wrote:
On Fri, 2023-02-03 at 12:26 -0600, Alex Stewart wrote:Are those reasons documented somewhere?Hey Josh,Assuming someone does the work, which is likely, yes. We did namespace
Something about CDX rubs me the wrong way (besides it being named like an off-brand printer company), but I can't put my finger on what. So if there are technical reasons that it is less desirable for the OE usecase, I'd like to know about them.
My understanding is that CDX has better support for embedding vulnerability (+VEX) and attestation elements into its DOM, which is something that our Aero-Def customers will be interested in. I suppose I can build workflows to add that information after converting the OE-SPDX document to CDX, but I'd like to integrate the whole thing into an OE build, if possible.
I'm not sure I want to see two formats beingI'm concerned about the lossiness of that conversion. Based on the CDX-SPDX mapping document in the cdx2spdx tool repo , they seem roughly compatible. But I haven't been able to find a clean tool which converts the other direction, nor a mapping document for the SPDX->CDX pathway.
Is anyone watching this thread doing SPDX to CDX conversions as a part of their pipelines today? If so, what tools are you using and are there any hazards to that approach?
I appreciate the feedback, everyone.
Software Engineer - NI Real-Time OS
NI (National Instruments)