feat: prototype 3.0 model #247
Conversation
kzantow
force-pushed
the
feat/spdx-3-prototype
branch
2 times, most recently
from
b71353a to
936ae58
Compare
kzantow
force-pushed
the
feat/spdx-3-prototype
branch
2 times, most recently
from
ea44d2b to
14db0d0
Compare
Signed-off-by: Keith Zantow <kzantow@gmail.com>
kzantow
force-pushed
the
feat/spdx-3-prototype
branch
from
14db0d0 to
8e9125f
Compare
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
Signed-off-by: Keith Zantow <kzantow@gmail.com>
| pkg2 := &spdx.AiAIPackage{} | ||
| pkg2.Name = "some-package-2" | ||
| pkg2.SoftwarePackageVersion = "2.4.5" |
There was a problem hiding this comment.
But it's also possible to avoid the nesting by accessing properties like this.
| pkg1 := &spdx.SoftwarePackage{ | ||
| SoftwareSoftwareArtifact: spdx.SoftwareSoftwareArtifact{Artifact: spdx.Artifact{Element: spdx.Element{ | ||
| Name: "some-package-1", | ||
| }}}, | ||
| SoftwarePackageVersion: "1.2.3", | ||
| } |
There was a problem hiding this comment.
I'm just going to call out the two least desirable traits of this proposal: moderately deep inheritance heirarchies with embedding are not especially fun to work with in initializers (the other proposal/implementation also uses embedding), since you must nest embedded types like this to set the "parent" type properties.
spdx/v3/v3_0/spdx_test.go
Outdated
| for _, sbom := range doc.RootElements.SoftwareSbomIter() { | ||
| for _, rel := range sbom.RootElements.RelationshipIter() { | ||
| if rel.RelationshipType == spdx.RelationshipType_Contains { | ||
| spdx.As(rel.From, func(f *spdx.SoftwareFile) { |
There was a problem hiding this comment.
The second thing is accessing single-instance properties like this. There is no magic typing as is done with the specialized collections that could be done to add methods like rel.From.SoftwareFile(), for example. This means it's required to type assert... but because of the inheritance, you cannot type assert to *spdx.SoftwareFile, or you'll miss any subtypes, so the spdx.As function is a helper that simply switches on the type provided -- in this case *spdx.SoftwareFile switches to test for spdx.AnySoftwareFile interface, and if found calls .asSoftwareFile() to get a reference. This allows the inheritance to work properly at the expense of not really being able to do anything idiomatic here.
Signed-off-by: Keith Zantow <kzantow@gmail.com>
| if rel.RelationshipType != spdx.RelationshipType_Contains { | ||
| continue | ||
| } | ||
| _ = spdx.As(rel.From, func(f *spdx.SoftwareFile) any { |
There was a problem hiding this comment.
The second thing is accessing single-instance properties like this. There is no magic typing as is done with the specialized collections that could be done to add methods like rel.From.SoftwareFile(), for example. This means it's required to type assert... but because of the inheritance, you cannot type assert to *spdx.SoftwareFile, or you'll miss any subtypes, so the spdx.As function is a helper that simply switches on the type provided -- in this case *spdx.SoftwareFile switches to test for spdx.AnySoftwareFile interface, and if found calls .asSoftwareFile() to get a reference. This allows the inheritance to work properly at the expense of not really being able to do anything idiomatic here.
This PR implements one possible data model to support SPDX 3, along with functional JSON serialization / deserialization. There are sure to be some rough edges!
The easiest way to understand what usage looks like is to check out the tests -- they perform some basic document creation, along with serializing, deserializing, and re-serializing to verify the documents are the same.
A few rough edges with SPDX 3 in general seem to be:
This PR does not add anything in the way of data validation, so it is probably pretty easy to create invalid documents. How to handle this is TBD.
This PR also does not add any conversion functionality to/from older versions of SPDX.
Feedback requested!