Re: Software Evidence Archive (SEvA)

Camille Moulin

Hi Scott,

Thanks for sharing, tt seems very interesting.

One question about the licence, though: why the NC clause in your CC-BY-NC-SA-3.0 licence ?



Le 22/02/2018 à 23:54, John Scott a écrit :

Hi All:
I’ve been on the list for a while and wanted to share some work we’re been doing. The issues we’ve been trying to solve is the portability and sharing of meta-data around a piece of software. For instance analysis that is completed in one place and needs to move with the software.

To solve that we’ve come up a with a XML/JSON format to ship results around, GitHub repo here: 
thanks, js

Software Evidence Archive (SEvA)

SEvA is specification for encapsulating software supply chain metadata and delivering with a clear and concise schema for parsing using automation. The SEvA definition is divided into several sections. There is a brief description of each section listed below.


Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 United States License.

Product and version information

Contains any product naming or version related information.

File and mime type information

Contains any file types detected within the source artifact or source repository. It also contains the related mime types for each file detected.

Authoritative source information

Contains any information about what is to be considered the authoritative source for ad given artifact or source repository. This includes a URL, hash of the source and whether or not the source has been signed.

Ecosystem and community information

Contains information pertaining to a software projects ecosystem (programming languages, urls, etc.) and community information (number of committers, mailing list activity, overall sentiment, etc).

Dependency information

Contains a list of dependencies (naming, versions, vulnerabilities) for a given software project derived directly from the artifact or source dependency definition file.

License information

Contains any license information detected from a given artifact or source.

Vulnerability and virus information

Contains any vulnerability or virus definitions detected from the artifact or source repository.

Result of GRC information

Contains the calculated risk and compliance to governance from the analysis of the software artifact or source repository.

Delivery information

Contains any delivery information including the target url and last delivered date and time. This will not include any information for the current delivery as the seva is signed prior to delivery.

John Scott, President
Selection Pressure LLC
 240.401.6574 @johnmscott
< john@...  >

OpenChain mailing list

Join to automatically receive all group messages.