Comments (3)
goneall
commented on June 20, 2024
@ShubhankarVN I believe the syntax allows for NONE and NOASSERTION without the preceeding DocumentRef-.
So the following should work:
{
"spdxElementId": "SPDXRef-Package-1",
"relatedSpdxElement": "NOASSERTION",
"relationshipType": "DESCRIBED_BY"
}
{
"spdxElementId": "SPDXRef-Package-1",
"relatedSpdxElement": "NONE",
"relationshipType": "DESCRIBED_BY"
}
from tools-python.
ShubhankarVN
commented on June 20, 2024
The scenario we are trying is where the Package and External Document Refs are related and both IDs are known, but the exact internal SPDXID that's part of the DocumentRef is not known.
In the below example, SPDXRef-Package-1 and DocumentRef-1 are known IDs, but the exact internal SPDXID that's part of DocumentRef-1 is unknown, hence NOASSERTION/NONE.
E.g.:
{
"spdxElementId": "SPDXRef-Package-1",
"relatedSpdxElement": "DocumentRef-1:NOASSERTION",
"relationshipType": "DESCRIBED_BY"
}
What can be done in this scenario?
from tools-python.
goneall
commented on June 20, 2024
What can be done in this scenario?
The spec currently doesn't support referring to an unknown SPDX ID within an external document.
What I would suggest is creating a relationship to the document itself which has a pre-defined known ID - e.g.:
{
"spdxElementId": "SPDXRef-Package-1",
"relatedSpdxElement": "DocumentRef-1:SPDXRef-DOCUMENT",
"relationshipType": "DESCRIBED_BY"
}
from tools-python.
Related Issues (20)
- Valid SPDX cannot be converted from JSON to tag:value HOT 1
- Ugly error message when the JSON syntax is not correct HOT 1
- Question of generation SBOM HOT 3
- Be more lenient when parsing "true" and "false" in tag-value
- Request for Handling Custom Licenses in Document and Package Validators HOT 6
- Converting valid JSON SPDX file to tag:value gives invalid SPDX
- would like to package - but the name is unsuitable HOT 1
- Slow for SBOMs with a large number of files + relationships HOT 1
- F
- Would like an option to omit files from graph
- `create_list_without_duplicates` Function Can be Sped Up By Using Set
- Incorrect cpe23Type validation? HOT 2
- Relationship with Package Section HOT 2
- Failed to convert spdx to xml with Annotation HOT 1
- Error while calling SPDX parse_file() API inside thread function
- Remove unused semantic_version module HOT 1
- Why use uritools instead of the standard library urllib? HOT 1
- The LicenseRef prefix should not be required for standard licenses
- Unhashable type SpdxNoAssertion
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from tools-python.