Re: Software Evidence Archive (SEvA)


john
 

SPDX seemed to only contain data around licensing and bills of materials (for dependencies) but didn’t include data around what tests were run, virus scanning, etc. results for a particular build of software or source  code. 

the main part for non-commercial was to limit license forking 


-------------------------------------------
John Scott, President
Selection Pressure LLC
 240.401.6574 @johnmscott
< john@...  >
www.selectpress.net

On February 22, 2018 at 6:39:57 PM, Alan Tse (alan.tse@...) wrote:

Thanks for sharing.  Some questions:

1.      Is your intent with the non-commercial use provision to mean no commercial entities can use the format?  Or was it to prohibit people from charging?  If it’s the latter, the license choice may be too broad.  An issue I see with a NC license is that this may limit any potential adoption because commercial entities are primarily the entities that would use this type of data.

2.      Have you taken a look at SPDX for the license meta-data?  While SEvA is a broader solution, there may be some duplication in efforts on the license side that can be avoided.

 

Alan D. Tse

 

From: openchain-bounces@... [mailto:openchain-bounces@...] On Behalf Of John Scott
Sent: Thursday, February 22, 2018 2:55 PM
To: openchain@...
Subject: [OpenChain] Software Evidence Archive (SEvA)

 

Hi All:

I’ve been on the list for a while and wanted to share some work we’re been doing. The issues we’ve been trying to solve is the portability and sharing of meta-data around a piece of software. For instance analysis that is completed in one place and needs to move with the software.

 

To solve that we’ve come up a with a XML/JSON format to ship results around, GitHub repo here: 

thanks, js

 

Software Evidence Archive (SEvA)

SEvA is specification for encapsulating software supply chain metadata and delivering with a clear and concise schema for parsing using automation. The SEvA definition is divided into several sections. There is a brief description of each section listed below.

License

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States License.

Product and version information

Contains any product naming or version related information.

File and mime type information

Contains any file types detected within the source artifact or source repository. It also contains the related mime types for each file detected.

Authoritative source information

Contains any information about what is to be considered the authoritative source for ad given artifact or source repository. This includes a URL, hash of the source and whether or not the source has been signed.

Ecosystem and community information

Contains information pertaining to a software projects ecosystem (programming languages, urls, etc.) and community information (number of committers, mailing list activity, overall sentiment, etc).

Dependency information

Contains a list of dependencies (naming, versions, vulnerabilities) for a given software project derived directly from the artifact or source dependency definition file.

License information

Contains any license information detected from a given artifact or source.

Vulnerability and virus information

Contains any vulnerability or virus definitions detected from the artifact or source repository.

Result of GRC information

Contains the calculated risk and compliance to governance from the analysis of the software artifact or source repository.

Delivery information

Contains any delivery information including the target url and last delivered date and time. This will not include any information for the current delivery as the seva is signed prior to delivery.

 

-------------------------------------------

John Scott, President

Selection Pressure LLC

 240.401.6574 @johnmscott

< john@...  >

Join main@lists.openchainproject.org to automatically receive all group messages.