-
|
I'm currently implementing Source SBoMs for the Elixir programming language. To get as much detail into it as possible and also get adequate CycloneDX output (only contains packages, not project), I would like to change my Before: SPDXID: "SPDXRef-DOCUMENT"
spdxVersion: "SPDX-2.2"
creationInfo:
created: "2025-02-05T12:29:35Z"
creators:
- "Organization: The Elixir Team"
licenseListVersion: "3.9"
name: "elixir"
dataLicense: "CC0-1.0"
documentNamespace: "https://github.com/elixir-lang/elixir"
documentDescribes:
- "SPDXRef-Package-elixir"
packages:
- SPDXID: "SPDXRef-Package-elixir"
summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
downloadLocation: "git+https://github.com/elixir-lang/elixir.git"
filesAnalyzed: false
homepage: "https://elixir-lang.org/"
licenseConcluded: "Apache-2.0 AND LicenseRef-scancode-unicode"
licenseDeclared: "Apache-2.0 AND LicenseRef-scancode-unicode"
name: "elixir"
packageFileName: "./"
externalRefs:
- referenceCategory: PACKAGE-MANAGER
referenceType: "purl"
referenceLocator: "pkg:otp/elixir"
comment: "OTP PURL"After: SPDXID: "SPDXRef-DOCUMENT"
spdxVersion: "SPDX-2.2"
creationInfo:
created: "2025-02-05T12:29:35Z"
creators:
- "Organization: The Elixir Team"
licenseListVersion: "3.9"
name: "elixir"
dataLicense: "CC0-1.0"
documentNamespace: "https://github.com/elixir-lang/elixir"
documentDescribes:
- "SPDXRef-Package-elixir-lang"
packages:
- SPDXID: "SPDXRef-Package-elixir-lang"
summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
downloadLocation: "git+https://github.com/elixir-lang/elixir.git"
filesAnalyzed: false
homepage: "https://elixir-lang.org/"
licenseConcluded: "Apache-2.0 AND LicenseRef-scancode-unicode"
licenseDeclared: "Apache-2.0 AND LicenseRef-scancode-unicode"
name: "elixir-lang"
externalRefs:
- referenceCategory: PACKAGE-MANAGER
referenceType: "purl"
referenceLocator: "pkg:github/elixir-lang/elixir"
comment: "GitHub PURL"
- SPDXID: "SPDXRef-Package-eex"
summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
downloadLocation: "git+https://github.com/elixir-lang/elixir.git"
filesAnalyzed: false
homepage: "https://elixir-lang.org/"
licenseConcluded: "Apache-2.0"
licenseDeclared: "Apache-2.0"
name: "eex"
packageFileName: "./lib/eex"
externalRefs:
- referenceCategory: PACKAGE-MANAGER
referenceType: "purl"
referenceLocator: "pkg:otp/eex"
comment: "OTP PURL"
- SPDXID: "SPDXRef-Package-elixir"
summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
downloadLocation: "git+https://github.com/elixir-lang/elixir.git"
filesAnalyzed: false
homepage: "https://elixir-lang.org/"
licenseConcluded: "Apache-2.0 AND LicenseRef-scancode-unicode"
licenseDeclared: "Apache-2.0 AND LicenseRef-scancode-unicode"
name: "elixir"
packageFileName: "./lib/elixir"
externalRefs:
- referenceCategory: PACKAGE-MANAGER
referenceType: "purl"
referenceLocator: "pkg:otp/elixir"
comment: "OTP PURL"
- SPDXID: "SPDXRef-Package-exunit"
summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
downloadLocation: "git+https://github.com/elixir-lang/elixir.git"
filesAnalyzed: false
homepage: "https://elixir-lang.org/"
licenseConcluded: "Apache-2.0"
licenseDeclared: "Apache-2.0"
name: "exunit"
packageFileName: "./lib/ex_unit"
externalRefs:
- referenceCategory: PACKAGE-MANAGER
referenceType: "purl"
referenceLocator: "pkg:otp/ex_unit"
comment: "OTP PURL"
- SPDXID: "SPDXRef-Package-iex"
summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
downloadLocation: "git+https://github.com/elixir-lang/elixir.git"
filesAnalyzed: false
homepage: "https://elixir-lang.org/"
licenseConcluded: "Apache-2.0"
licenseDeclared: "Apache-2.0"
name: "iex"
packageFileName: "./lib/iex"
externalRefs:
- referenceCategory: PACKAGE-MANAGER
referenceType: "purl"
referenceLocator: "pkg:otp/iex"
comment: "OTP PURL"
- SPDXID: "SPDXRef-Package-logger"
summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
downloadLocation: "git+https://github.com/elixir-lang/elixir.git"
filesAnalyzed: false
homepage: "https://elixir-lang.org/"
licenseConcluded: "Apache-2.0"
licenseDeclared: "Apache-2.0"
name: "logger"
packageFileName: "./lib/logger"
externalRefs:
- referenceCategory: PACKAGE-MANAGER
referenceType: "purl"
referenceLocator: "pkg:otp/logger"
comment: "OTP PURL"
- SPDXID: "SPDXRef-Package-mix"
summary: "About Elixir is a dynamic, functional language for building scalable and maintainable applications"
copyrightText: "Copyright (c) 2012 Plataformatec. Copyright (c) 2021 The Elixir Team. All Rights Reserved."
downloadLocation: "git+https://github.com/elixir-lang/elixir.git"
filesAnalyzed: false
homepage: "https://elixir-lang.org/"
licenseConcluded: "Apache-2.0"
licenseDeclared: "Apache-2.0"
name: "mix"
packageFileName: "./lib/mix"
externalRefs:
- referenceCategory: PACKAGE-MANAGER
referenceType: "purl"
referenceLocator: "pkg:otp/mix"
comment: "OTP PURL"
- SPDXID: "SPDXRef-Package-erlang"
description: "Erlang is a programming language and runtime system for building massively scalable soft real-time systems with requirements on high availability."
copyrightText: "Copyright Ericsson AB 2010-2024. All Rights Reserved."
downloadLocation: "git+https://github.com/erlang/otp.git"
filesAnalyzed: false
homepage: "https://www.erlang.org/"
licenseConcluded: "NOASSERTION"
licenseDeclared: "Apache-2.0"
name: "erlang"
externalRefs:
- referenceCategory: PACKAGE-MANAGER
referenceType: "purl"
referenceLocator: "pkg:github/erlang/otp"
comment: "GitHub PURL"
relationships:
- spdxElementId: "SPDXRef-Package-elixir-lang"
relatedSpdxElement: "SPDXRef-Package-eex"
relationshipType: "STATIC_LINK" # Should be CONTAINS, issue with ORT
- spdxElementId: "SPDXRef-Package-elixir-lang"
relatedSpdxElement: "SPDXRef-Package-elixir"
relationshipType: "STATIC_LINK" # Should be CONTAINS, issue with ORT
- spdxElementId: "SPDXRef-Package-elixir-lang"
relatedSpdxElement: "SPDXRef-Package-exunit"
relationshipType: "STATIC_LINK" # Should be CONTAINS, issue with ORT
- spdxElementId: "SPDXRef-Package-elixir-lang"
relatedSpdxElement: "SPDXRef-Package-iex"
relationshipType: "STATIC_LINK" # Should be CONTAINS, issue with ORT
- spdxElementId: "SPDXRef-Package-elixir-lang"
relatedSpdxElement: "SPDXRef-Package-logger"
relationshipType: "STATIC_LINK" # Should be CONTAINS, issue with ORT
- spdxElementId: "SPDXRef-Package-elixir-lang"
relatedSpdxElement: "SPDXRef-Package-mix"
relationshipType: "STATIC_LINK" # Should be CONTAINS, issue with ORT
- spdxElementId: "SPDXRef-Package-elixir"
relatedSpdxElement: "SPDXRef-Package-erlang"
relationshipType: "RUNTIME_DEPENDENCY_OF"
- spdxElementId: "SPDXRef-Package-eex"
relatedSpdxElement: "SPDXRef-Package-elixir"
relationshipType: "STATIC_LINK"
- spdxElementId: "SPDXRef-Package-exunit"
relatedSpdxElement: "SPDXRef-Package-elixir"
relationshipType: "STATIC_LINK"
- spdxElementId: "SPDXRef-Package-iex"
relatedSpdxElement: "SPDXRef-Package-elixir"
relationshipType: "STATIC_LINK"
- spdxElementId: "SPDXRef-Package-logger"
relatedSpdxElement: "SPDXRef-Package-elixir"
relationshipType: "STATIC_LINK"
- spdxElementId: "SPDXRef-Package-mix"
relatedSpdxElement: "SPDXRef-Package-elixir"
relationshipType: "STATIC_LINK"Unfortunately by doing that, the exclusions and curations (license findings) are no longer applied. I tried to work around the issue with the following approaches:
Did I implement things correctly and is what I'm trying to do even possible with ORT as it is right now? Context:
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 2 replies
-
|
@maennchen The right way forwards for now in my opinion is for you to implement SBOM output in Elixir and then a ORT Elixir analyzer plugin needs to be implemented that executes Elixir's SBOM command and then ingest the resulting SBOM. |
Beta Was this translation helpful? Give feedback.
-
|
@tsteenbe I might be wrong with my assumptions, but my plan is to add Elixir (mix) and Erlang (rebar3) package manager support to ORT. This will work for all "normal" Elixir/Erlang projects / libraries. I however don't think that this will work well for the language itself itself. The build tool is not fully available at this stage and dependencies are not properly declared. I therefore think that I will not get around doing something manually for the language itself. Also: The SBoM tooling which is currently being developed, will be able to support SPDX v3 and CycloneDX. I don't think that there will be any SPDX 2.X support. |
Beta Was this translation helpful? Give feedback.
-
|
@tsteenbe I've found the reason why it didn't work:
Fixing that makes it work. |
Beta Was this translation helpful? Give feedback.
@maennchen
project.spdx.ymland relatedpackage.spdx.ymlwere implemented in ORT as fallbacks for when ORT does not support a package manager or if there is no package manager e.g. C/C++ projects. These are specially crafted/reduced SPDX files that are valid by the SPDX spec v2.2 but I do not recommend you to use them as a base for an ORT integration. We have issue open to support SBOMs as first class input to ORT see #9878 but the issue is that if you take 6 SBOM tools you get 6 different SBOMs as neither in CycloneDX nor SPDX there is a test suite/guidelines that describes how to map a given reality in code into a SBOM.The right way forwards for now in my opinion is for you to implemen…