Referencing external spdx documents with package information from project.spdx.yml


Neubauer Stephanie (IOC/PDL4)
 

Hello J

 

I am currently working on an issue in the Oss-Review-Toolkit  [1] to support referring to external SPDX files from a `project.spdx.yml` [2].

 

I am currently checking out the spdx-specs [3] and the spdx schema [4] to create a working example of an ´project.spdx.yml` which has a package referencing an external SPDX document for  its metadata.

In the example file provided in [5]  I could not find a reference of that sort.

I have tried using `externalRefs` parameter of a package in the spdx document, but didn’t achieve actually referencing an external spdx document.

In the last paragraph of the spdx/tools repository [6] I have found a mention of “ExternalSpdxElement” that is not in the 2.0 model anymore. Has this been replaced in some way?

 

I wondered if there was an actual example in one of the documentations or repositories that shows:

A project.spdx.yml listing a package

and in that package metadata refer to

additional metadata in the form of a package.spdx.yml (or something similar)

 

Here is a slightly changed project.spdx.yml (originally from [7]) that shows how I would imagine the mechanisms working:

SPDXID: "SPDXRef-DOCUMENT"

spdxVersion: "SPDX-2.2"

creationInfo:

  created: "2020-07-23T18:30:22Z"

  creators:

  - "Organization: Example Inc."

  - "Person: Thomas Steenbergen"

  licenseListVersion: "3.9"

name: "xyz-0.1.0"

dataLicense: "CC0-1.0"

documentNamespace: "http://spdx.org/spdxdocs/spdx-document-xyz"

documentDescribes:

- "SPDXRef-Package-xyz"

packages:

- SPDXID: "SPDXRef-Package-xyz"

  description: "Awesome product created by Example Inc."

  copyrightText: "Copyright (C) 2020 Example Inc."

  downloadLocation: "git+ssh://gitlab.example.com:3389/products/xyz.git@b2c358080011af6a366d2512a25a379fbe7b1f78"

  filesAnalyzed: false

  homepage: "https://example.com/products/xyz"

  licenseConcluded:  "NOASSERTION"

  licenseDeclared: "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc"

  name: "xyz"

  versionInfo: "0.1.0"

- SPDXID: "SPDXRef-Package-curl"

  externalRefs:

    referenceCategory: "OTHER"

    referenceLocator: "curl:7.70.0" (or similar way of giving an identifier)

    referenceType: https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/package/libs/curl/package.spdx.yml (alternatively a relative path to the same file locally could be given here)

OR:       - SPDXID: "SPDXRef-Package-curl"

  externalSpdxDocument:

    documentUri: https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/package/libs/curl/package.spdx.yml (alternatively a relative path to the same file locally could be given here)

    id: SPDXDocumentRef-curl

relationships:

- spdxElementId: "SPDXRef-Package-xyz"

  relatedSpdxElement: "SPDXRef-Package-curl"

  relationshipType: "DEPENDS_ON"

 

 

[1] https://github.com/oss-review-toolkit/ort

[2] https://github.com/oss-review-toolkit/ort/issues/3402

[3] https://spdx.github.io/spdx-spec/3-package-information/#321-external-reference

[4] https://github.com/spdx/spdx-spec/blob/development/v2.2.1/schemas/spdx-schema.json

[5] https://github.com/spdx/spdx-spec/blob/development/v2.2.1/examples/SPDXYAMLExample-2.2.spdx.yaml

[6] https://github.com/spdx/tools#upgrading-to-spdx-20

[7] https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/project/project.spdx.yml

 

Mit freundlichen Grüßen / Best regards

Stephanie Neubauer


Project Delivery Stuttgart (IOC/PDL4)
Robert Bosch GmbH | Postfach 11 27 | 71301 Waiblingen | GERMANY |
www.bosch.com
Tel. +49 711 811-92528 | Mobil +49 172 3620267 | Telefax +49 711 811-58200 |
Threema / Threema Work: PHCV2F36 | Stephanie.Neubauer@...

Sitz: Stuttgart, Registergericht: Amtsgericht Stuttgart, HRB 14000;
Aufsichtsratsvorsitzender: Franz Fehrenbach; Geschäftsführung: Dr. Volkmar Denner,
Prof. Dr. Stefan Asenkerschbaumer, Filiz Albrecht, Dr. Michael Bolle, Dr. Christian Fischer,
Dr. Stefan Hartung, Dr. Markus Heyn, Harald Kröger, Rolf Najork, Uwe Raschke

Join spdx@lists.spdx.org to automatically receive all group messages.