spdx example clean-up

bdehamer · bdehamer · commit 649fde52fa83 · 2023-08-09T15:37:47.000-07:00
Signed-off-by: Brian DeHamer &lt;bdehamer@github.com&gt;
diff --git a/accepted/0000-sbom-command.md b/accepted/0000-sbom-command.md
@@ -142,10 +142,6 @@ The <code>[externalRefs](https://spdx.github.io/spdx-spec/v2.3/package-informati
 Making it a distinct command allows us to add SBOM-specific features in the future like a `--sign` flag which could be used to generate a signed SBOM. \
  \
 _Recommendation: Add a distinct command for generating an SBOM._
-
-* SPDX doesn’t provide a natural way to differentiate between the various npm dependency types like “dev”, “peer”, and “optional”. We might consider using something like the [package comment field](https://spdx.github.io/spdx-spec/v2.3/package-information/#720-package-comment-field) to capture this information. \
- \
- _Recommendation: Skip for the first version of this feature. Wait to see if there is demand for this information and/or if the specification evolves to account for this metadata._
  
 * Does `npm-sbom` command have a notion of a “default” SBOM format? Do we give preference to one of CycloneDX/SPDX or do we remain totally neutral (possibly at the expense of DX)? \
  \
@@ -304,7 +300,7 @@ The proposed SPDX SBOM generated for the project above would look like the follo
   "name": "hello-world@1.0.0",
   "documentNamespace": "http://spdx.org/spdxdocs/hello-world-1.0.0-<uuid>",
   "creationInfo": {
-    "created": "2023-08-04T21:41:02.071Z",
+    "created": "2023-08-09T22:31:28.107Z",
     "creators": [
       "Tool: npm/cli-9.8.1"
     ]
@@ -327,7 +323,7 @@ The proposed SPDX SBOM generated for the project above would look like the follo
         },
         {
           "referenceCategory": "PACKAGE-MANAGER",
-          "referernceType": "purl",
+          "referenceType": "purl",
           "referenceLocator": "pkg:npm/hello-world@1.0.0"
         }
       ]
@@ -341,12 +337,12 @@ The proposed SPDX SBOM generated for the project above would look like the follo
       "externalRefs": [
         {
           "referenceCategory": "PACKAGE-MANAGER",
-          "referernceType": "npm",
+          "referenceType": "npm",
           "referenceLocator": "@tsconfig/node14@1.0.3"
         },
         {
           "referenceCategory": "PACKAGE-MANAGER",
-          "referernceType": "purl",
+          "referenceType": "purl",
           "referenceLocator": "pkg:npm/%40tsconfig/node14@1.0.3"
         }
       ],
@@ -366,12 +362,12 @@ The proposed SPDX SBOM generated for the project above would look like the follo
       "externalRefs": [
         {
           "referenceCategory": "PACKAGE-MANAGER",
-          "referernceType": "npm",
+          "referenceType": "npm",
           "referenceLocator": "debug@4.3.4"
         },
         {
           "referenceCategory": "PACKAGE-MANAGER",
-          "referernceType": "purl",
+          "referenceType": "purl",
           "referenceLocator": "pkg:npm/debug@4.3.4"
         }
       ],
@@ -391,12 +387,12 @@ The proposed SPDX SBOM generated for the project above would look like the follo
       "externalRefs": [
         {
           "referenceCategory": "PACKAGE-MANAGER",
-          "referernceType": "npm",
+          "referenceType": "npm",
           "referenceLocator": "ms@2.1.2"
         },
         {
           "referenceCategory": "PACKAGE-MANAGER",
-          "referernceType": "purl",
+          "referenceType": "purl",
           "referenceLocator": "pkg:npm/ms@2.1.2"
         }
       ],
@@ -407,6 +403,28 @@ The proposed SPDX SBOM generated for the project above would look like the follo
         }
       ]
     }
+  ],
+  "relationships": [
+    {
+      "spdxElementId": "SPDXRef-DOCUMENT",
+      "relatedSpdxElement": "SPDXRef-Package-hello-world-1.0.0",
+      "relationshipType": "DESCRIBES"
+    },
+    {
+      "spdxElementId": "SPDXRef-Package-debug-4.3.4",
+      "relatedSpdxElement": "SPDXRef-Package-hello-world-1.0.0",
+      "relationshipType": "DEPENDENCY_OF"
+    },
+    {
+      "spdxElementId": "SPDXRef-Package-tsconfig.node14-1.0.3",
+      "relatedSpdxElement": "SPDXRef-Package-hello-world-1.0.0",
+      "relationshipType": "DEV_DEPENDENCY_OF"
+    },
+    {
+      "spdxElementId": "SPDXRef-Package-ms-2.1.2",
+      "relatedSpdxElement": "SPDXRef-Package-debug-4.3.4",
+      "relationshipType": "DEPENDENCY_OF"
+    }
   ]
 }
 ```

Original file line number	Diff line number	Diff line change
`@@ -142,10 +142,6 @@ The <code>[externalRefs](https://spdx.github.io/spdx-spec/v2.3/package-informati`
`142`	`142`	Making it a distinct command allows us to add SBOM-specific features in the future like a `--sign` flag which could be used to generate a signed SBOM. \
`143`	`143`	`\`
`144`	`144`	`_Recommendation: Add a distinct command for generating an SBOM._`
`145`		`-`
`146`		`-* SPDX doesn’t provide a natural way to differentiate between the various npm dependency types like “dev”, “peer”, and “optional”. We might consider using something like the [package comment field](https://spdx.github.io/spdx-spec/v2.3/package-information/#720-package-comment-field) to capture this information. \`
`147`		`- \`
`148`		`- _Recommendation: Skip for the first version of this feature. Wait to see if there is demand for this information and/or if the specification evolves to account for this metadata._`
`149`	`145`
`150`	`146`	* Does `npm-sbom` command have a notion of a “default” SBOM format? Do we give preference to one of CycloneDX/SPDX or do we remain totally neutral (possibly at the expense of DX)? \
`151`	`147`	`\`
`@@ -304,7 +300,7 @@ The proposed SPDX SBOM generated for the project above would look like the follo`
`304`	`300`	`"name": "[email protected]",`
`305`	`301`	`"documentNamespace": "http://spdx.org/spdxdocs/hello-world-1.0.0-<uuid>",`
`306`	`302`	`"creationInfo": {`
`307`		`- "created": "2023-08-04T21:41:02.071Z",`
	`303`	`+ "created": "2023-08-09T22:31:28.107Z",`
`308`	`304`	`"creators": [`
`309`	`305`	`"Tool: npm/cli-9.8.1"`
`310`	`306`	`]`
`@@ -327,7 +323,7 @@ The proposed SPDX SBOM generated for the project above would look like the follo`
`327`	`323`	`},`
`328`	`324`	`{`
`329`	`325`	`"referenceCategory": "PACKAGE-MANAGER",`
`330`		`- "referernceType": "purl",`
	`326`	`+ "referenceType": "purl",`
`331`	`327`	`"referenceLocator": "pkg:npm/[email protected]"`
`332`	`328`	`}`
`333`	`329`	`]`
`@@ -341,12 +337,12 @@ The proposed SPDX SBOM generated for the project above would look like the follo`
`341`	`337`	`"externalRefs": [`
`342`	`338`	`{`
`343`	`339`	`"referenceCategory": "PACKAGE-MANAGER",`
`344`		`- "referernceType": "npm",`
	`340`	`+ "referenceType": "npm",`
`345`	`341`	`"referenceLocator": "@tsconfig/[email protected]"`
`346`	`342`	`},`
`347`	`343`	`{`
`348`	`344`	`"referenceCategory": "PACKAGE-MANAGER",`
`349`		`- "referernceType": "purl",`
	`345`	`+ "referenceType": "purl",`
`350`	`346`	`"referenceLocator": "pkg:npm/%40tsconfig/[email protected]"`
`351`	`347`	`}`
`352`	`348`	`],`
`@@ -366,12 +362,12 @@ The proposed SPDX SBOM generated for the project above would look like the follo`
`366`	`362`	`"externalRefs": [`
`367`	`363`	`{`
`368`	`364`	`"referenceCategory": "PACKAGE-MANAGER",`
`369`		`- "referernceType": "npm",`
	`365`	`+ "referenceType": "npm",`
`370`	`366`	`"referenceLocator": "[email protected]"`
`371`	`367`	`},`
`372`	`368`	`{`
`373`	`369`	`"referenceCategory": "PACKAGE-MANAGER",`
`374`		`- "referernceType": "purl",`
	`370`	`+ "referenceType": "purl",`
`375`	`371`	`"referenceLocator": "pkg:npm/[email protected]"`
`376`	`372`	`}`
`377`	`373`	`],`
`@@ -391,12 +387,12 @@ The proposed SPDX SBOM generated for the project above would look like the follo`
`391`	`387`	`"externalRefs": [`
`392`	`388`	`{`
`393`	`389`	`"referenceCategory": "PACKAGE-MANAGER",`
`394`		`- "referernceType": "npm",`
	`390`	`+ "referenceType": "npm",`
`395`	`391`	`"referenceLocator": "[email protected]"`
`396`	`392`	`},`
`397`	`393`	`{`
`398`	`394`	`"referenceCategory": "PACKAGE-MANAGER",`
`399`		`- "referernceType": "purl",`
	`395`	`+ "referenceType": "purl",`
`400`	`396`	`"referenceLocator": "pkg:npm/[email protected]"`
`401`	`397`	`}`
`402`	`398`	`],`
`@@ -407,6 +403,28 @@ The proposed SPDX SBOM generated for the project above would look like the follo`
`407`	`403`	`}`
`408`	`404`	`]`
`409`	`405`	`}`
	`406`	`+ ],`
	`407`	`+ "relationships": [`
	`408`	`+ {`
	`409`	`+ "spdxElementId": "SPDXRef-DOCUMENT",`
	`410`	`+ "relatedSpdxElement": "SPDXRef-Package-hello-world-1.0.0",`
	`411`	`+ "relationshipType": "DESCRIBES"`
	`412`	`+ },`
	`413`	`+ {`
	`414`	`+ "spdxElementId": "SPDXRef-Package-debug-4.3.4",`
	`415`	`+ "relatedSpdxElement": "SPDXRef-Package-hello-world-1.0.0",`
	`416`	`+ "relationshipType": "DEPENDENCY_OF"`
	`417`	`+ },`
	`418`	`+ {`
	`419`	`+ "spdxElementId": "SPDXRef-Package-tsconfig.node14-1.0.3",`
	`420`	`+ "relatedSpdxElement": "SPDXRef-Package-hello-world-1.0.0",`
	`421`	`+ "relationshipType": "DEV_DEPENDENCY_OF"`
	`422`	`+ },`
	`423`	`+ {`
	`424`	`+ "spdxElementId": "SPDXRef-Package-ms-2.1.2",`
	`425`	`+ "relatedSpdxElement": "SPDXRef-Package-debug-4.3.4",`
	`426`	`+ "relationshipType": "DEPENDENCY_OF"`
	`427`	`+ }`
`410`	`428`	`]`
`411`	`429`	`}`
`412`	`430`	```