[spdx] SPDXID #spdx

Gary O'Neall

Hi Sandeep – Moving the conversation over to the SPDX-tech mailing list.


Unfortunately, adding in a CPE ID or pURL would include characters disallowed in the SPDX ID.


Fortunately, there is a way to express the pURL and CPE ID in the SPDX Package using the ExternalRef property.  If you add these properties, tools such as the SPDX to OSV will pick up the references and use them to uniquely identify the packages.


Here’s an example in JSON format for a CPE 2.3 ID:


  "packages" : [ {

                   "SPDXID" : "SPDXRef-Package",

                   "externalRefs" : [ {

                     "referenceCategory" : "SECURITY",

                     "referenceLocator" : "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*",

                     "referenceType" : "cpe23Type"

                   },  …


See the ExternalRef subsection of the spec and the External Repository Identifiers Annex for more details.




From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, May 16, 2022 9:06 AM
To: spdx@...
Subject: [spdx] SPDXID #spdx


Hi , 
I have query regarding SPDXID , Can this be expressed along with CPE or pURL something like 

"SPDXRef-[cpe id]"   or  "SPDXRef-[pURL]"

Any further guidance on this will help.