Re: Software Evidence Archive (SEvA)

Kate Stewart

Hi John,
    Thanks for sharing the information on SEvA.   

    In scanning through the repository,  its not clear to me that when you're using <licenses>3DFX</licenses>, are you expecting them to licenses 
off the SPDX license list?   are SPDX license expressions ok?

Also,   for the fields that are in common with SPDX (Software Package Data eXchange),  
to promote interoperability,  are you using the same data formatting/parsing constraints?
I can't quite tell from the descriptions I'm finding, but feel free to point me to details. :-)
The package level fields that are likely to overlap with SPDX are described in

Also, If you want to propose the format for some of the fields that the SPDX
specification doesn't have,  we're working on the 2.2 version of the specification
at the moment, and submitting issues to the github repository, gets the proposal
on the discussion list. 


On Thu, Feb 22, 2018 at 6:09 PM, John Scott <john@...> wrote:
SPDX seemed to only contain data around licensing and bills of materials (for dependencies) but didn’t include data around what tests were run, virus scanning, etc. results for a particular build of software or source  code. 

the main part for non-commercial was to limit license forking 

John Scott, President
Selection Pressure LLC
 240.401.6574 @johnmscott
< john@...  >

On February 22, 2018 at 6:39:57 PM, Alan Tse (alan.tse@...) wrote:

Thanks for sharing.  Some questions:

1.      Is your intent with the non-commercial use provision to mean no commercial entities can use the format?  Or was it to prohibit people from charging?  If it’s the latter, the license choice may be too broad.  An issue I see with a NC license is that this may limit any potential adoption because commercial entities are primarily the entities that would use this type of data.

2.      Have you taken a look at SPDX for the license meta-data?  While SEvA is a broader solution, there may be some duplication in efforts on the license side that can be avoided.


Alan D. Tse


From: [] On Behalf Of John Scott
Sent: Thursday, February 22, 2018 2:55 PM
Subject: [OpenChain] Software Evidence Archive (SEvA)


Hi All:

I’ve been on the list for a while and wanted to share some work we’re been doing. The issues we’ve been trying to solve is the portability and sharing of meta-data around a piece of software. For instance analysis that is completed in one place and needs to move with the software.


To solve that we’ve come up a with a XML/JSON format to ship results around, GitHub repo here: 

thanks, js


Software Evidence Archive (SEvA)

SEvA is specification for encapsulating software supply chain metadata and delivering with a clear and concise schema for parsing using automation. The SEvA definition is divided into several sections. There is a brief description of each section listed below.


Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States License.

Product and version information

Contains any product naming or version related information.

File and mime type information

Contains any file types detected within the source artifact or source repository. It also contains the related mime types for each file detected.

Authoritative source information

Contains any information about what is to be considered the authoritative source for ad given artifact or source repository. This includes a URL, hash of the source and whether or not the source has been signed.

Ecosystem and community information

Contains information pertaining to a software projects ecosystem (programming languages, urls, etc.) and community information (number of committers, mailing list activity, overall sentiment, etc).

Dependency information

Contains a list of dependencies (naming, versions, vulnerabilities) for a given software project derived directly from the artifact or source dependency definition file.

License information

Contains any license information detected from a given artifact or source.

Vulnerability and virus information

Contains any vulnerability or virus definitions detected from the artifact or source repository.

Result of GRC information

Contains the calculated risk and compliance to governance from the analysis of the software artifact or source repository.

Delivery information

Contains any delivery information including the target url and last delivered date and time. This will not include any information for the current delivery as the seva is signed prior to delivery.



John Scott, President

Selection Pressure LLC

 240.401.6574 @johnmscott

< john@...  >

OpenChain mailing list

Join to automatically receive all group messages.