Re: [csaf] Generic Software Identification Parameter/Attribute to be included in CSAF 2.0 schema.

[Eric Johnson <eric@tibco.com>]

Hi Omar,

Sorry I didn't manage to get off a response to this before our meeting yesterday.

On Tue, Nov 27, 2018 at 5:31 PM Omar Santos (osantos) <osantos@cisco.com> wrote:

This is to continue the discussion related to aÂGeneric Software Identification Parameter/Attribute to be included in CSAF 2.0 schema.

The following is the current CSAF 2.0 draft schema:

https://github.com/oasis-tcs/csaf/blob/master/sandbox/csaf_2.0/json_schema/csaf_json_schema.json

Under full_product_name there is a CPE property. Replacing CPE for âstandard_product_identifierâ (or similar) may be the best place. Then the $ref: could be to a pointer to a SWID, CO-SWID, SPDX, etc docâ Thoughts or suggestions?

Due to the expectations and processing model behind JSON, I don't see the need or value to be generic. Put differently, in a JSON instance, the product definition could have a property for cpe, swid, spdx. The JSON schema could then more readily validate the corresponding value the property with a regular _expression_ match, at least. That also gives us the freedom, in some ideal future, to decide that one of these properties might be required, while the others could continue to be optional.

So instead of having "standard_product_identifier" as a property, and then have the implementation required to distinguish the kind of identifier based on the value, why not have "cpe", "swid", "co_swid", "spdx" as distinct properties?

Eric.

Â

"full_product_name_t": {
	"type": "object",
	"required": [
	"product_id",
	"text"
	],
	"properties": {
	"product_id": {
	"$ref": "#/definitions/non_empty_string_t"
	},
	"text": {
	"$ref": "#/definitions/non_empty_string_t"
	},
	"cpe": {
	"$ref": "#/definitions/non_empty_string_t"
	}
	}
	},
	"non_empty_string_t": {
	"type": "string",
	"minLength": 1
	},