Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support SPDX json export #204

Open
hfhbd opened this issue May 4, 2023 · 2 comments
Open

Support SPDX json export #204

hfhbd opened this issue May 4, 2023 · 2 comments

Comments

@hfhbd
Copy link
Contributor

hfhbd commented May 4, 2023

https://spdx.dev
SPDX is a standard for license information of a software product and its dependencies. The current artifacts.json isn't a standard. I have a prototype to generate a spdx.json file and would like to publish it too.

The prototype based on the artifacts.json file, but this file lacks a graph and some properties. Instead, this format needs to use the maven pom files/apis directly.

Needed properties:

  • (nullable) variant
  • (nullable) scm organization
  • download location (repo)
  • jar checksum
  • dependency graph
@JakeWharton
Copy link
Collaborator

Can we still include the extra stuff that's in our JSON today? Or is the format too strict?

@hfhbd
Copy link
Contributor Author

hfhbd commented May 5, 2023

Do you mean, you want to put the content of the artifacts.json in the spdx.json? The spdx spec is a superset of the current artifacts.json file. It includes everything of the current json, but spdx is more detailed and way more complex.
Depending on your use-case (at cash?) and maybe small apps, I would keep the artifacts.json file for easy usages.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@JakeWharton @hfhbd