Referencing external spdx documents with package information from project.spdx.yml
|
Neubauer Stephanie (IOC/PDL4)
Hello J
I am currently working on an issue in the Oss-Review-Toolkit [1] to support referring to external SPDX files from a `project.spdx.yml` [2].
I am currently checking out the spdx-specs [3] and the spdx schema [4] to create a working example of an ´project.spdx.yml` which has a package referencing an external SPDX document for its metadata. In the example file provided in [5] I could not find a reference of that sort. I have tried using `externalRefs` parameter of a package in the spdx document, but didn’t achieve actually referencing an external spdx document. In the last paragraph of the spdx/tools repository [6] I have found a mention of “ExternalSpdxElement” that is not in the 2.0 model anymore. Has this been replaced in some way?
I wondered if there was an actual example in one of the documentations or repositories that shows: A project.spdx.yml listing a package and in that package metadata refer to additional metadata in the form of a package.spdx.yml (or something similar)
Here is a slightly changed project.spdx.yml (originally from [7]) that shows how I would imagine the mechanisms working: SPDXID: "SPDXRef-DOCUMENT" spdxVersion: "SPDX-2.2" creationInfo: created: "2020-07-23T18:30:22Z" creators: - "Organization: Example Inc." - "Person: Thomas Steenbergen" licenseListVersion: "3.9" name: "xyz-0.1.0" dataLicense: "CC0-1.0" documentNamespace: "http://spdx.org/spdxdocs/spdx-document-xyz" documentDescribes: - "SPDXRef-Package-xyz" packages: - SPDXID: "SPDXRef-Package-xyz" description: "Awesome product created by Example Inc." copyrightText: "Copyright (C) 2020 Example Inc." downloadLocation: "git+ssh://gitlab.example.com:3389/products/xyz.git@b2c358080011af6a366d2512a25a379fbe7b1f78" filesAnalyzed: false homepage: "https://example.com/products/xyz" licenseConcluded: "NOASSERTION" licenseDeclared: "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc" name: "xyz" versionInfo: "0.1.0" - SPDXID: "SPDXRef-Package-curl" externalRefs: referenceCategory: "OTHER" referenceLocator: "curl:7.70.0" (or similar way of giving an identifier) referenceType: https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/package/libs/curl/package.spdx.yml (alternatively a relative path to the same file locally could be given here) OR: - SPDXID: "SPDXRef-Package-curl" externalSpdxDocument: documentUri: https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/package/libs/curl/package.spdx.yml (alternatively a relative path to the same file locally could be given here) id: SPDXDocumentRef-curl relationships: - spdxElementId: "SPDXRef-Package-xyz" relatedSpdxElement: "SPDXRef-Package-curl" relationshipType: "DEPENDS_ON"
[1] https://github.com/oss-review-toolkit/ort [2] https://github.com/oss-review-toolkit/ort/issues/3402 [3] https://spdx.github.io/spdx-spec/3-package-information/#321-external-reference [4] https://github.com/spdx/spdx-spec/blob/development/v2.2.1/schemas/spdx-schema.json [5] https://github.com/spdx/spdx-spec/blob/development/v2.2.1/examples/SPDXYAMLExample-2.2.spdx.yaml [6] https://github.com/spdx/tools#upgrading-to-spdx-20
Mit freundlichen Grüßen / Best regards
|
|
|