Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How can i refer 2 spdxs in third spdx file and access all the packages information from 3rd spdx file #131

Open
rakeshsrinivasa opened this issue Jun 29, 2023 · 8 comments
Open

How can i refer 2 spdxs in third spdx file and access all the packages information from 3rd spdx file #131

rakeshsrinivasa opened this issue Jun 29, 2023 · 8 comments

Comments

@rakeshsrinivasa
Copy link

rakeshsrinivasa commented Jun 29, 2023
edited
Loading

Suppose Assume that i have a spdx file called "spdx_1.yaml" and another one called "spdx_2.yaml" . Both these spdx files has certain packages. Now i want to create another spdx file (call spdx_3.yaml) which just refers spdx_1 and spdx2 yaml files available locally in the same folder.

Now using spdx-tools java i need to access all the packages available in spdx_1 and spdx_2 yamls Via spdx_3.yaml.

Below is my questions
1.
I am facing difficulties in forming spdx_3.yaml .Please do verify and help me
github.zip

  1. How can i access all the packages present in spdx_1 and spdx_2 yaml via spdx_3.yaml in spdx-tools java

Thanks in advance
@rakeshsrinivasa
Copy link
Author

@goneall Any comments/suggestions on above ?

@goneall
Copy link
Member

goneall commented Jul 5, 2023

@rakeshsrinivasa If you want to refer to packages in spdx_1 and spdx_2, you would use the externalDocumentRefs with document namespaces from spdx_1 and spdx_2. For example:

externalDocumentRefs:
  - externalDocumentId: "DocumentRef-spdx_1"
    checksum:
      algorithm: "SHA1"
      checksumValue: "[the checksum for spdx_1 yaml file]"
    spdxDocument: "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301"

You would then refer to the package using the syntax [DocumentRef]:[SpdxID], for example: DocumentRef-spdx_1:SPDXRef-Package-1.

@goneall
Copy link
Member

goneall commented Jul 5, 2023

A couple other things in looking through the attached files:

  • For document SPDX ID - it must be SPDXRef-DOCUMENT per the spec
  • You should not use the CONTAINS relationship for the SPDX Document as it doesn't really contain anything, it just describes things - so you should use the DESCRIBES relationship. Packages can contain things, so maybe you want to have the SPDX Document describe a package that contains other packages or files.

@rakeshsrinivasa
Copy link
Author

@goneall In the below

externalDocumentRefs:

Where am i specifying the local path of spdx_1 or spdx_2 file . How does the spdx_3 yaml file determine which local file it has to refer ?

@rakeshsrinivasa
Copy link
Author

@goneall Btwn did you get a chance to look at the attached github.zip ? Any comments on that

@goneall
Copy link
Member

goneall commented Jul 5, 2023

@rakeshsrinivasa There isn't a field for the local path of the externally referenced files. We discussed adding it to the spec and decided not to since files may move etc. You can probably add an Annotation or a comment to capture this.

@goneall
Copy link
Member

goneall commented Jul 5, 2023

Btwn did you get a chance to look at the attached github.zip ? Any comments on that

Just briefly, see the comment above for some feedback.

@goneall
Copy link
Member

goneall commented Dec 17, 2023

@rakeshsrinivasa Just checking to see if you still had any questions on this issue - you can also post to the SPDX Tech team mailing list for additional support with the spec.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@goneall @rakeshsrinivasa