idnits 2.17.1 draft-birkholz-yang-swid-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** There are 89 instances of too long lines in the document, the longest one being 18 characters in excess of 72. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. ** The document seems to lack a both a reference to RFC 2119 and the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. RFC 2119 keyword, line 385: '...ame itself. This SHOULD be the relativ...' RFC 2119 keyword, line 674: '... registration ID MUST be a RFC 3986 UR...' RFC 2119 keyword, line 675: '... scope SHOULD be the scope o...' RFC 2119 keyword, line 676: '... registration id MUST be used consiste...' RFC 2119 keyword, line 934: '... If a SWID tag is a patch, it MUST...' (2 more instances...) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 176 has weird spacing: '...ss-name str...' == Line 191 has weird spacing: '...ty-name str...' -- The document date (October 23, 2018) is 2006 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Outdated reference: A later version (-24) exists of draft-ietf-sacm-coswid-06 -- Possible downref: Non-RFC (?) normative reference: ref. 'SWID' Summary: 2 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 NETCONF Working Group H. Birkholz 3 Internet-Draft Fraunhofer SIT 4 Intended status: Standards Track October 23, 2018 5 Expires: April 26, 2019 7 Software Inventory YANG module based on Software Identifiers 8 draft-birkholz-yang-swid-02 10 Abstract 12 This document provides a YANG module definition that enables a 13 computing context to provide detailed information about installed 14 software components. The structure of the module is based on the 15 Concise Software Identifier draft and therefore also strongly related 16 to the ISO 19770-2:2015 Software Identifiers standard. Both 17 standards provide no interface to transport the SWID tag information 18 between system entities and this document leverages the wide adoption 19 of YANG based management interfaces. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on April 26, 2019. 38 Copyright Notice 40 Copyright (c) 2018 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 2. YANG SWID module . . . . . . . . . . . . . . . . . . . . . . 2 57 3. IANA considerations . . . . . . . . . . . . . . . . . . . . . 6 58 4. Security Considerations . . . . . . . . . . . . . . . . . . . 6 59 5. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 60 6. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 6 61 7. Normative References . . . . . . . . . . . . . . . . . . . . 6 62 Appendix A. Detailed YANG SWID module . . . . . . . . . . . . . 6 63 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 22 65 1. Introduction 67 Software Identification Tags (SWID tags [SWID]) or their binary 68 equivalent - the CoSWID tags [I-D.ietf-sacm-coswid] - provide a 69 versatile document standard that can be installed in conjunction with 70 a software component on a system entity. There is no standard 71 interface to access, export, or transfer these tag document between 72 system entities. The following YANG module enables full, fine- 73 grained access to every attribute and metadata defined in the SWID 74 standards via a YANG-based management interface. In addition, access 75 to all SWID documents - encoded in XML or CBOR - is enabled by 76 corresponding SWID inventory statement. Changes to the SWID 77 inventory can be emitted via SWID-Updates YANG notifications. 79 2. YANG SWID module 81 Every node defined is read-only, as there is no installation or 82 deployment capability associated with tag information. The 83 descriptions of each attribute are derived from the SWID XML schema 84 definition provided by ISO: 86 http://standards.iso.org/iso/19770/-2/2015-current/schema.xsd 88 The definitions were adapted and modified if appropriate. 90 The following summary illustrates the module in tree format. The 91 complete YANG module can be found in Appendix A. 93 94 module: yang-software-identity 95 +--ro (swid-inventory-type) 96 +--:(native) 97 | +--ro (representation-type)? 98 | +--:(isoswid) 99 | | +--ro iso-software-identities* anydata 100 | +--:(coswid) 101 | +--ro cbor-software-identities* anydata 102 +--:(yang-modeled) 103 +--ro concise-software-identities* 104 +--ro concise-software-identity 105 +--ro lang? string 106 +--ro any-element* 107 | +--ro any-attribute 108 | +--ro attribute-name? string 109 | +--ro attribute-value? string 110 +--ro tag-id string 111 +--ro swid-name string 112 +--ro (major-ressource-collection)? 113 | +--:(payload) 114 | | +--ro payload 115 | | +--ro lang? string 116 | | +--ro any-element* 117 | | | +--ro any-attribute 118 | | | +--ro attribute-name? string 119 | | | +--ro attribute-value? string 120 | | +--ro (item-type)? 121 | | +--:(directory) 122 | | | +--ro directory 123 | | | +--ro directory-path? string 124 | | +--:(file) 125 | | | +--ro file 126 | | | +--ro directory-path? string 127 | | | +--ro size? uint32 128 | | | +--ro file-version? string 129 | | | +--ro file-hash 130 | | | +--ro hash-algo? int16 131 | | | +--ro hash-value? binary 132 | | +--:(key) 133 | | | +--ro key? boolean 134 | | +--:(location) 135 | | | +--ro location? string 136 | | +--:(fs-name) 137 | | | +--ro fs-name string 138 | | +--:(root) 139 | | +--ro root? string 140 | +--:(evidence) 141 | +--ro evidence 142 | +--ro lang? string 143 | +--ro any-element* 144 | | +--ro any-attribute 145 | | +--ro attribute-name? string 146 | | +--ro attribute-value? string 147 | +--ro (item-type)? 148 | | +--:(directory) 149 | | | +--ro directory 150 | | | +--ro directory-path? string 151 | | +--:(file) 152 | | | +--ro file 153 | | | +--ro directory-path? string 154 | | | +--ro size? uint32 155 | | | +--ro file-version? string 156 | | | +--ro file-hash 157 | | | +--ro hash-algo? int16 158 | | | +--ro hash-value? binary 159 | | +--:(key) 160 | | | +--ro key? boolean 161 | | +--:(location) 162 | | | +--ro location? string 163 | | +--:(fs-name) 164 | | | +--ro fs-name string 165 | | +--:(root) 166 | | +--ro root? string 167 | +--ro date? string 168 | +--ro device-id? string 169 +--ro additional-resource-collection* 170 | +--ro process 171 | | +--ro lang? string 172 | | +--ro any-element* 173 | | | +--ro any-attribute 174 | | | +--ro attribute-name? string 175 | | | +--ro attribute-value? string 176 | | +--ro process-name string 177 | | +--ro pid? uint16 178 | +--ro resource 179 | | +--ro lang? string 180 | | +--ro any-element* 181 | | | +--ro any-attribute 182 | | | +--ro attribute-name? string 183 | | | +--ro attribute-value? string 184 | | +--ro type? string 185 | +--ro entity 186 | | +--ro lang? string 187 | | +--ro any-element* 188 | | | +--ro any-attribute 189 | | | +--ro attribute-name? string 190 | | | +--ro attribute-value? string 191 | | +--ro entity-name string 192 | | +--ro reg-id? string 193 | | +--ro role? string 194 | | +--ro thumbprint 195 | | +--ro hash-algo? int16 196 | | +--ro thumbprint-value? binary 197 | +--ro link 198 | | +--ro lang? string 199 | | +--ro any-element* 200 | | | +--ro any-attribute 201 | | | +--ro attribute-name? string 202 | | | +--ro attribute-value? string 203 | | +--ro artifact? string 204 | | +--ro href string 205 | | +--ro media? string 206 | | +--ro ownership? string 207 | | +--ro rel string 208 | | +--ro type? string 209 | | +--ro use? string 210 | +--ro software-meta 211 | +--ro lang? string 212 | +--ro any-element* 213 | | +--ro any-attribute 214 | | +--ro attribute-name? string 215 | | +--ro attribute-value? string 216 | +--ro activation-status? string 217 | +--ro channel-type? string 218 | +--ro colloquial-version? string 219 | +--ro description? string 220 | +--ro edition? string 221 | +--ro entitlement-data-required? boolean 222 | +--ro entitlement-key? string 223 | +--ro generator? string 224 | +--ro persistent-id? string 225 | +--ro product? string 226 | +--ro product-family? string 227 | +--ro revision? string 228 | +--ro summary? string 229 | +--ro unspsc-code? string 230 | +--ro unspsc-version? string 231 +--ro corpus? boolean 232 +--ro patch? boolean 233 +--ro media? boolean 234 +--ro supplemental? boolean 235 +--ro tag-version? string 236 +--ro software-version? string 237 +--ro version-scheme? string 239 notifications: 240 +---n swid-inventory-update 241 +--ro swid-update-type identityref 242 +--ro swid-relationships* 243 | +--ro swid-relationship 244 | +--ro relationship? identityref 245 | +--ro related-swids* string 246 +--ro (representation-type)? 247 +--:(isoswid) 248 | +--ro iso-software-identity? anydata 249 +--:(coswid) 250 +--ro ietf-software-identity? anydata 251 253 3. IANA considerations 255 This document includes no requests to IANA. 257 4. Security Considerations 259 This document includes no security considerations yet, but will act 260 as an incubator to create them 262 5. Acknowledgements 264 Eric Voit 266 6. Change Log 268 First version -00 270 7. Normative References 272 [I-D.ietf-sacm-coswid] 273 Birkholz, H., Fitzgerald-McKay, J., Schmidt, C., and D. 274 Waltermire, "Concise Software Identifiers", draft-ietf- 275 sacm-coswid-06 (work in progress), July 2018. 277 [SWID] "Information technology - Software asset management - Part 278 2: Software identification tag'", ISO/IEC 19770-2:2015, 279 October 2015. 281 Appendix A. Detailed YANG SWID module 283 284 module yang-software-identity { 286 namespace "urn:ietf:params:xml:ns:yang:swid"; 287 prefix "yang-swid"; 288 organization 289 "Fraunhofer SIT"; 290 contact 291 "Henk Birkholz 292 Fraunhofer Institute for Secure Information Technology 293 Email: henk.birkholz@sit.fraunhofer.de"; 294 description 295 "The YANG module to provide SWID tags via YANG modeled 296 management interfaces. 297 Copyright (C) Fraunhofer SIT (2017)."; 298 revision "2017-10-30" { 299 description 300 "Initial version"; 301 reference 302 "draft-birkholz-yang-swid-00"; 303 } 305 grouping global-attributes { 306 leaf lang { 307 type string; 308 description 309 "An RFC5646 conferment language tag"; 310 } 311 list any-element { 312 container any-attribute { 313 leaf attribute-name { 314 type string; 315 description 316 "The name of the custom attribute."; 317 } 318 leaf attribute-value { 319 type string; 320 description 321 "The value of the custom attribute."; 322 } 323 } 324 } 325 } 327 grouping relative-path { 328 leaf directory-path { 329 type string; 330 description 331 "A file-system path expression relative to the SWID tag document,"; 332 } 333 } 335 grouping filesystem-item { 336 uses global-attributes; 337 choice item-type { 338 container directory { 339 uses relative-path; 340 } 341 container file { 342 uses relative-path; 343 leaf size { 344 type uint32; 345 description 346 "The file size in bytes of the file."; 347 } 348 leaf file-version { 349 type string; 350 description 351 "The file version."; 352 } 353 container file-hash { 354 leaf hash-algo { 355 type int16; 356 description 357 "The integer index of the IANA Named Information Hash Algorithm 358 Registry table"; 359 } 360 leaf hash-value { 361 type binary; 362 description 363 "The binary hash value of the file"; 364 } 365 } 366 } 367 leaf key { 368 type boolean; 369 description 370 "Files that are considered important or required 371 for the use of a software component. Typical key files 372 would be those which, if not available on a system entity, 373 would cause the software component not to execute or 374 function properly. 375 Key files will typically be used to validate that 376 a software component referenced by the CoSWID tag document 377 is actually installed on a specific system 378 entity."; 379 } 380 leaf location { 381 type string; 382 description 383 "The directory or location where a file was found 384 or can expected to be located. This text-string is intended 385 to include the filename itself. This SHOULD be the relative 386 path represented by the root item."; 387 } 388 leaf fs-name { 389 type string; 390 mandatory true; 391 description 392 "The file name or directory name without any path characters."; 393 } 394 leaf root { 395 type string; 396 description 397 "A system-specific root folder that the location 398 item is an offset from. If this is not specified the 399 assumption is the root is the same folder as the location of 400 the CoSWID tag. The text-string value represents a path 401 expression relative to the CoSWID tag document location in 402 the (composite) file-system hierarchy."; 403 } 404 } 405 } 407 identity update-type { 408 description 409 "The type of update with respect to a change in the SWID inventory."; 410 } 412 identity added { 413 base update-type; 414 description 415 "A SIWD was added to the inventory."; 416 } 418 identity removed { 419 base update-type; 420 description 421 "A SWID was removed from the inventory."; 422 } 424 identity relationship-type { 425 description 426 "The type of relationship the SWID tag in the inventory update 427 notification has to other SWID tags currently in the inventory."; 428 } 430 identity patches { 431 base relationship-type; 432 description 433 "This SWID tag represents a software component that patches 434 different software components (to be identified via tag-id)."; 435 } 437 identity supersedes { 438 base relationship-type; 439 description 440 "This SWID tag represents a software component that supersedes 441 different software components (to be identified via tag-id)."; 442 } 444 identity requires { 445 base relationship-type; 446 description 447 "This SWID tag represents a software component that requires 448 different software component (to be identified via tag-id)."; 449 } 451 identity required-by { 452 base relationship-type; 453 description 454 "This SWID tag represents a software component that is required by 455 different software components (to be identified via tag-ids)."; 456 } 458 grouping representation { 459 description 460 "Identifies the type of the native representation of individual 461 SWID documents. On this level, the choice is between 462 ISO 19770-2:2015 and I-D.ietf-sacm-coswid Software 463 Identifiers: isoswid or coswid. In case of CoMI, the choice 464 is between 0 and 1, respectively."; 465 choice representation-type { 466 case isoswid { 467 description 468 "Native representation of ISO 19770-2:2015 Software Identifiers"; 469 leaf-list iso-software-identities { 470 type anydata; 471 description 472 "A list of XML encoded SWID documents."; 473 } 474 } 475 case coswid { 476 description 477 "Native representation of Concise Software Identifiers"; 478 leaf-list ietf-software-identities { 479 type anydata; 480 description 481 "A list of CNOR encoded SWID documents."; 482 } 483 } 484 } 485 } 487 notification swid-inventory-update { 488 description 489 "This notification is emitted, if the composition of software components 490 in a computing context changes."; 491 leaf swid-update-type { 492 type identityref { 493 base update-type; 494 } 495 mandatory true; 496 description 497 "Indicates if a SWID tag was added or removed."; 498 } 499 list swid-relationships { 500 description 501 "A list of relationships to other SWID documents."; 502 container swid-relationship { 503 description 504 "An individual SWID relationship."; 505 leaf relationship { 506 type identityref { 507 base relationship-type; 508 } 509 description 510 "The type of relationship, e.g. supersedes or patches."; 511 } 512 leaf-list related-swids { 513 type string; 514 description 515 "A list of tag-ids that reference corresponding SWID tags."; 516 } 517 } 518 } 519 choice representation-type { 520 description 521 "Identifies the type of the native representation of individual 522 SWID documents. On this level, the choice is between 523 ISO 19770-2:2015 and I-D.ietf-sacm-coswid Software 524 Identifiers: isoswid or coswid. In case of CoMI, the choice 525 is between 0 and 1, respectively."; 526 case isoswid { 527 description 528 "Native representation of ISO 19770-2:2015 Software Identifiers"; 530 leaf iso-software-identity { 531 type anydata; 532 description 533 "An XML encoded SWID document."; 534 } 535 } 536 case coswid { 537 description 538 "Native representation of Concise Software Identifiers"; 539 leaf ietf-software-identity { 540 type anydata; 541 description 542 "A CNOR encoded SWID document."; 543 } 544 } 545 } 546 } 548 choice swid-inventory-type { 549 config false; 550 mandatory true; 551 description 552 "Identifies the representation of the SWID inventory. 553 On this level, the choice is between native representation and 554 YANG representation: native or yang-modeled. In case of CoMI, 555 the choice is between 0 and 1, respectively."; 556 case native { 557 choice representation-type { 558 description 559 "Identifies the type of the native representation of individual 560 SWID documents. On this level, the choice is between 561 ISO 19770-2:2015 and I-D.ietf-sacm-coswid Software 562 Identifiers: isoswid or coswid. In case of CoMI, the choice 563 is between 0 and 1, respectively."; 564 case isoswid { 565 description 566 "Native representation of ISO 19770-2:2015 Software Identifiers"; 567 leaf-list iso-software-identities { 568 type anydata; 569 description 570 "A list of XML encoded SWID documents."; 571 } 572 } 573 case coswid { 574 description 575 "Native representation of Concise Software Identifiers"; 576 leaf-list cbor-software-identities { 577 type anydata; 578 description 579 "A list of CNOR encoded SWID documents."; 580 } 581 } 582 } 583 } 584 case yang-modeled { 585 description 586 "A list of YANG-modeled SWID document containers."; 587 list concise-software-identities { 588 container concise-software-identity { 589 uses global-attributes; 590 leaf tag-id { 591 type string; 592 mandatory true; 593 description 594 "An identifier uniquely referencing a (composite) 595 software component. The tag identifier is intended to be 596 globally unique. There are no strict guidelines on how this 597 identifier is structured, but examples include a 16 byte 598 GUID (e.g. class 4 UUID)."; 599 } 600 leaf swid-name { 601 type string; 602 mandatory true; 603 description 604 "This item provides the software component name as 605 it would typically be referenced. For example, what would 606 be seen in the add/remove dialog on a Windows device, or 607 what is specified as the name of a packaged software product 608 or a patch identifier name on a Linux device."; 609 } 610 choice major-ressource-collection { 611 container payload { 612 uses filesystem-item; 613 } 614 container evidence { 615 uses filesystem-item; 616 leaf date { 617 type string; 618 description 619 "The sate and time evidence represented by an 620 evidence item was gathered."; 621 } 622 leaf device-id { 623 type string; 624 description 625 "A text-string identifier for a device 626 evidence was gathered from."; 627 } 628 } 629 } 630 list additional-resource-collection { 631 container process { 632 uses global-attributes; 633 leaf process-name { 634 type string; 635 mandatory true; 636 description 637 "The process name as it will be found in the 638 system entity's process table."; 639 } 640 leaf pid { 641 type uint16; 642 description 643 "The process ID for the process in execution 644 that can be included in the process item as part of an 645 evidence tag."; 646 } 647 } 648 container resource { 649 uses global-attributes; 650 leaf type { 651 type string; 652 description 653 "The type of resource represented via a 654 text-string (typically, registry-key, port 655 or root-uri)."; 656 } 657 } 658 container entity { 659 uses global-attributes; 660 leaf entity-name { 661 type string; 662 mandatory true; 663 description 664 "The text-string name of the organization 665 claiming a particular role in the SWID tag"; 666 } 667 leaf reg-id { 668 type string; 669 description 670 "The registration id is intended to uniquely 671 identify a naming authority in a given scope (e.g. global, 672 organization, vendor, customer, administrative domain, etc.) 673 that is implied by the referenced naming authority. The 674 value of an registration ID MUST be a RFC 3986 URI. The 675 scope SHOULD be the scope of an organization. In a given 676 scope, the registration id MUST be used consistently."; 677 } 678 leaf role { 679 type string; 680 description 681 "The relationship between this organization 682 and this tag. The role of tag creator is required for every 683 SWID tag. The role of an entity may include any role value, 684 but the per-defined roles include: "aggregator", 685 "distributor", "licensor", "software-creator", 686 "tag-creator". The enumerations of this will include a 687 request to IANA in order to be reference-able via an integer 688 index."; 689 } 690 container thumbprint { 691 leaf hash-algo { 692 type int16; 693 description 694 "The integer index of the IANA Named Information Hash Algorithm 695 Registry table that is used to create the 696 thumbprint."; 697 } 698 leaf thumbprint-value { 699 type binary; 700 description 701 "This value provides a hexadecimal string 702 that contains a hash (i.e. the thumbprint) of the signing 703 entities certificate."; 704 } 705 } 706 } 707 container link { 708 uses global-attributes; 709 leaf artifact { 710 type string; 711 description 712 "For installation media 713 (rel=installation-media); dictates the canonical name for 714 the file. 715 Items with the same artifact name should be considered 716 mirrors of each other (so download from 717 wherever works)."; 718 } 719 leaf href { 720 type string; 721 mandatory true; 722 description 723 "An URI pointing to the resource referenced 724 using a system-acceptable URI scheme (e.g., file:// http:// 725 https:// ftp://), including yang+swid://"; 726 } 727 leaf media { 728 type string; 729 description 730 "This text value is a hint to the tag consumer 731 to understand what this SWID tag applies to. This item can 732 also be included in the link item to represent a attributes 733 defined by the W3C Media Queries Recommendation (see 734 http://www.w3.org/TR/css3-mediaqueries/). A hint to the 735 consumer of the link to what the target item is applicable 736 for."; 737 } 738 leaf ownership { 739 type string; 740 description 741 "Determines the relative strength of ownership 742 of the software components. Valid enumerations are: abandon, 743 private, shared."; 744 } 745 leaf rel { 746 type string; 747 mandatory true; 748 description 749 "The relationship between this SWID and the 750 target file. Relationships can be identified by referencing 751 the IANA registration library: 752 https://www.iana.org/assignments/link-relations/link-relations.xhtml."; 753 } 754 leaf type { 755 type string; 756 description 757 "A longer, detailed description of the 758 software. This description can be multiple sentences 759 (differentiated from summary, which is a very short, 760 one-sentence description)."; 761 } 762 leaf use { 763 type string; 764 description 765 "Determines if the target software is a hard 766 requirement or not. Valid enumerations are: required, 767 recommended, optional."; 768 } 769 } 770 container software-meta { 771 uses global-attributes; 772 leaf activation-status { 773 type string; 774 description 775 "Identification of the activation status of 776 this software title (e.g. Trial, Serialized, Licensed, 777 Unlicensed, etc). Typically, this is used in supplemental 778 tags."; 779 } 780 leaf channel-type { 781 type string; 782 description 783 "Provides information on which channel this 784 particular software was targeted for (e.g. Volume, Retail, 785 OEM, Academic, etc). Typically used in supplemental tags."; 786 } 787 leaf colloquial-version { 788 type string; 789 description 790 "The informal or colloquial version of the 791 product (i.e. 2013). Note that this version may be the same 792 through multiple releases of a software product where the 793 version specified in entity is much more specific and will 794 change for each software release. 795 Note that this representation of version is typically used 796 to identify a group of specific software releases that are 797 part of the same release/support infrastructure (i.e. 798 Fabrikam Office 2013). This version is used for string 799 comparisons only and is not compared to be an earlier or 800 later release (that is done via the entity 801 version)."; 802 } 803 leaf description { 804 type string; 805 description 806 "A longer, detailed description of the 807 software. This description can be multiple sentences 808 (differentiated from summary, which is a very short, 809 one-sentence description)."; 810 } 811 leaf edition { 812 type string; 813 description 814 "The variation of the product (Extended, 815 Enterprise, Professional, Standard etc)."; 816 } 817 leaf entitlement-data-required { 818 type boolean; 819 description 820 "An indicator to determine if there should be 821 accompanying proof of entitlement when a software license 822 reconciliation is completed."; 823 } 824 leaf entitlement-key { 825 type string; 826 description 827 "A vendor-specific textual key that can be 828 used to reconcile the validity of an entitlement. (e.g. 829 serial number, product or license key)."; 830 } 831 leaf generator { 832 type string; 833 description 834 "The name of the software tool that created a 835 SWID tag. This item is typically used if tags are created 836 on the fly or via a catalog-based analysis for data found on 837 a computing device."; 838 } 839 leaf persistent-id { 840 type string; 841 description 842 "A GUID used to represent products installed 843 where the product are related, but may be different 844 versions. For example, an "upgradeCode" (see 845 http://msdn.microsoft.com/en-us/library/aa372375(v=vs.85).aspx 846 as an reference for this example)."; 847 } 848 leaf product { 849 type string; 850 description 851 "The base name of the product (e.g. Office, 852 Creative Suites, Websphere, etc)."; 853 } 854 leaf product-family { 855 type string; 856 description 857 "The overall product family this software 858 belongs to. Product family is not used to identify that a 859 product is part of a suite, but is instead used when a set 860 of products that are all related may be installed on 861 multiple different devices. 862 For example, an enterprise backup system may consist of a 863 backup services, multiple different backup services that 864 support mail services, databases and ERP systems, as well as 865 individual software components that backup client system 866 entities. In such an usage scenario, all software components 867 that are part of the backup system would have the same 868 product-family name so they can be grouped together in 869 respect to reporting systems."; 870 } 871 leaf revision { 872 type string; 873 description 874 "The informal or colloquial representation of 875 the sub-version of the given product (ie, SP1, R2, RC1, Beta 876 2, etc). Note that the SoftwareIdentity.version will 877 provide very exact version details, 878 the revision is intended for use in environments where 879 reporting on the informal or colloquial representation of 880 the software is important (for example, if for a certain 881 business process, an organization recognizes that it must 882 have, for example "ServicePack 1" or later of a specific 883 product installed on all devices, they can use the revision 884 data value to quickly identify any devices that do not meet 885 this requirement). 886 Depending on how a software organizations distributes 887 revisions, this value could be specified in a primary (if 888 distributed as an upgrade) or supplemental (if distributed 889 as a patch) SWID tag."; 890 } 891 leaf summary { 892 type string; 893 description 894 "A short (one-sentence) description of the 895 software."; 896 } 897 leaf unspsc-code { 898 type string; 899 description 900 "An 8 digit code that provides UNSPSC 901 classification of the software product this SWID tag 902 identifies. For more information see, 903 http://www.unspsc.org/."; 904 } 905 leaf unspsc-version { 906 type string; 907 description 908 "An 8 digit code that provides UNSPSC 909 classification of the software product this SWID tag 910 identifies. For more information see, 911 http://www.unspsc.org/."; 912 } 913 } 915 } 916 leaf corpus { 917 type boolean; 918 description 919 "Set to true, if this attribute specifies that this SWID tag is a 920 collection of information that describes the pre-installation 921 data of software component."; 922 } 923 leaf patch { 924 type boolean; 925 description 926 "A set of files that is intended to modify an 927 existing set of files (including configuration files, 928 scripts and corresponding environment variables that are 929 create by the OS for the runtime environment) that composes 930 a software component. A software component patch does 931 neither alter the version number (see 13) nor the release 932 details (descriptive english text, see 44) of a software 933 components. 934 If a SWID tag is a patch, it MUST 935 contain the patch item and its value MUST be set 936 to true. 938 It is recommended but not required to include a 939 rel(ation) item in a patch CoSWID. If a CoSWID includes a 940 patch member, but not a rel member, it is implied that it 941 SHOULD be installed independently of any other CoSWID tag 942 document -- even if an effective but not explicit 943 relationship exists."; 944 } 945 leaf media { 946 type boolean; 947 description 948 "This text value is a hint to the tag consumer to 949 understand what this SWID tag applies to. This item can also 950 be included in the link item to represent a attributes 951 defined by the W3C Media Queries Recommendation (see 952 http://www.w3.org/TR/css3-mediaqueries/). A hint to the 953 consumer of the link to what the target item is applicable 954 for."; 955 } 956 leaf supplemental { 957 type boolean; 958 description 959 "Specifies that this tag provides supplemental tag 960 data that can be merged with primary tag data to create a 961 complete record of the software information. Supplemental 962 tags will often be provided at install time and may be 963 provided by different entities (such as the tag consumer, or 964 a Value Added Reseller)."; 965 } 966 leaf tag-version { 967 type string; 968 description 969 "This item indicates if a specific release of a 970 software component has more than one tag that can represent 971 that specific release. This may be the case if a CoSWID tag 972 producer creates and releases an incorrect tag that they 973 subsequently want to fix, but with no underlying changes to 974 the product the CoSWID tag represents. This could happen if, 975 for example, a patch is distributed that has a link 976 reference that does not cover all the various software 977 releases it can patch. A newer CoSWID tag for that patch can 978 be generated and the tag-version value incremented to 979 indicate that the data is updated."; 981 } 982 leaf software-version { 983 type string; 984 description 985 "Underlying development version for the software 986 component."; 987 } 988 leaf version-scheme { 989 type string; 990 description 991 "Scheme used for the version number. Valid 992 enumerations are : 993 * alphanumeric: strictly a string, sorting alphanumerically 994 * decimal: a floating point number (i.e., 1.25 is less than 995 1.3 ) 996 * multipartnumeric: numbers separated via dots, where the 997 numbers are interpreted as integers (ie, 1.2.3 , 1.4.5.6 998 , 1.2.3.4.5.6.7). This string convention is similar to 999 OIDs. 1000 * multipartnumeric+suffix: numbers separated via dots, where 1001 the numbers are interpreted as integers with an additional 1002 string suffix (e.g., 1.2.3a). 1003 * semver: a string as defined by the semver.org spec [FiXME: 1004 reference] 1005 * unknown: the last resort choice, no attempt should be made 1006 to order these"; 1007 } 1008 } 1009 } 1010 } 1012 } 1013 } 1014 1016 Author's Address 1018 Henk Birkholz 1019 Fraunhofer SIT 1020 Rheinstrasse 75 1021 Darmstadt 64295 1022 Germany 1024 Email: henk.birkholz@sit.fraunhofer.de