swinslow / cmake-spdx Goto Github PK
View Code? Open in Web Editor NEWCreate SPDX documents automatically with CMake build info
License: Apache License 2.0
Create SPDX documents automatically with CMake build info
License: Apache License 2.0
Currently, cmake-spdx makes some incorrect assumptions about how the source files will be structured:
The CMake file API response does contain an initial "source" directory response in the codemodel object, see for example:
cmake-spdx/api-example-reply/api/v1/reply/codemodel-v2-018480969ba919525f17.json
Lines 1667 to 1671 in 62b7287
The problem is that this points to the sources of the specific application being built, not to the main zephyr directory itself. So this can't be used as the top-level directory for treating all the relevant sources as a single Package in SPDX terminology.
Most likely, the more correct way to do this will be something like the following:
This will lead to a more flexible process and more correct SPDX document, which will also require less user guidance (as it should be driven entirely from the CMake file API responses). However, it will likely add significant complexity to the process of scanning the sources and creating the sources SPDX document, so I haven't started on an approach to this for the initial proof of concept.
After #1 is merged, and before sharing the links back with the Zephyr Slack channel, update the README and add a better writeup explaining:
It seems that currently only the tag / value format is supported as an output format. Could we get native (i.e. without the need to rely on external conversion tools) support for the arguabley more readable YAML / JSON representation of SPDX?
In SPDX 2.2 documents, the field FileType
can optionally be filled in with one (or more) entries indicating the file's type, using a small number of broad categories: see https://spdx.github.io/spdx-spec/4-file-information/#43-file-type
cmake-spdx should ideally fill in this value where it can be determined. For many files it may be determinable based on file extension.
Currently, cmake-spdx can determine:
SPDX-License-Identifier:
tag); andIt would be interesting to explore whether this can be used to auto-conclude the binary file's license -- in other words, to fill in LicenseConcluded
with some value other than NOASSERTION
.
The most obvious approach would be to simply AND together the licenses of all the source files and/or libraries that are used as inputs. So, for instance, if a binary has four source file inputs, three of which contain Apache-2.0
licenses and the other containing ISC
, then cmake-spdx could follow the relationships to determine that those are the four files used to create the binary, and then conclude the binary's license as Apache-2.0 AND ISC
.
It is admittedly a bit hard to follow in the spec, but my reading is the external document references must use SHA1.
This is based on section 2.6 subsection 2.6.4:
[Checksum] is a checksum of the external document following the checksum
format defined in section 4.4.
In section 4.4 subsection 4.4.3:
4.4.3 Cardinality: Mandatory, one SHA1, others may be optionally provided.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.