Standardize the SWID field meaning

[esarafianou]

We need to decide on what the SWID field in the schema refers to.

One way to perform a query against the NVD is by using the tagId. Another way is probably by submitting the swid document itself. In most circumstances, the tagId would likely suffice. However, until the NVD actually releases details about how specifically the two types of SWID queries will work, we cannot be sure.

It would be valuable to reach out to David Waltermire at NIST for clarification before standardizing on the meaning.

[joshbressers]

SWID files are XML, I am a fan of avoiding anything that isn't JSON whenever possible

[joshbressers]

I want to resurrect this discussion.

I'm trying to put an advisory into json format to see what I think of the schema, here is my current content
https://github.com/joshbressers/wg-vulnerability-disclosures/blob/schema/src/schema/ESA-2020-10.json

The versions are going to be the sticking point I suspect. In my case it's not even that complex
versions before 6.8.11 and 7.8.1
But the current format doesn't really accommodate this.

I'm asking the purl crew if they have suggestions
package-url/purl-spec#84 (comment)

disclaimer: I really like purl

I'm open to any other suggestions if anyone has any

Thanks in advance

[JasonKeirstead]

This issue and #28 are highly related IMO. It should just be combined into one issue to discuss.

[joshbressers]

I don't have permission to close this issue, but I'll move my comment over to #28

[MarcinHoppe]

@joshbressers want me close this in favor of continuing this discussion in #28?

[joshbressers]

@joshbressers want me close this in favor of continuing this discussion in #28?

Yes please