Thanks for sharing. Some questions:
Is your intent with the non-commercial use provision to mean no commercial entities can use the format? Or was it to prohibit people from charging?
If it’s the latter, the license choice may be too broad. An issue I see with a NC license is that this may limit any potential adoption because commercial entities are primarily the entities that would use this type of data.
Have you taken a look at
SPDX for the license meta-data? While SEvA is a broader solution, there may be some duplication in efforts on the license side that can be avoided.
I’ve been on the list for a while and wanted to share some work we’re been doing. The issues we’ve been trying to solve is the portability and sharing of meta-data around
a piece of software. For instance analysis that is completed in one place and needs to move with the software.
To solve that we’ve come up a with a XML/JSON format to ship results around, GitHub repo here:
Software Evidence Archive (SEvA)
SEvA is specification for encapsulating software supply chain metadata and delivering with a clear and concise schema for parsing using automation. The SEvA definition is divided into several sections.
There is a brief description of each section listed below.
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States License.
Product and version information
Contains any product naming or version related information.
File and mime type information
Contains any file types detected within the source artifact or source repository. It also contains the related mime types for each file detected.
Authoritative source information
Contains any information about what is to be considered the authoritative source for ad given artifact or source repository. This includes a URL, hash of the source and whether or not the source
has been signed.
Ecosystem and community information
Contains information pertaining to a software projects ecosystem (programming languages, urls, etc.) and community information (number of committers, mailing list activity, overall sentiment, etc).
Contains a list of dependencies (naming, versions, vulnerabilities) for a given software project derived directly from the artifact or source dependency definition file.
Contains any license information detected from a given artifact or source.
Vulnerability and virus information
Contains any vulnerability or virus definitions detected from the artifact or source repository.
Result of GRC information
Contains the calculated risk and compliance to governance from the analysis of the software artifact or source repository.
Contains any delivery information including the target url and last delivered date and time. This will not include any information for the current delivery as the seva is signed prior to delivery.