Re: Referencing external spdx documents with package information from project.spdx.yml
toggle quoted messageShow quoted text
Moving this from spdx general list to spdx-tech list.
If you are referring to an external SPDX document, you will want to use the ExternalSpdxDocument rather than ExternalRef.
The serialization format for the ExternalSpdxDocument varies quite a bit between the different file formats.
For YAML, the top level document will have a field externalDocumentRefs which lists all documents which are referenced. For example:
- externalDocumentId: "DocumentRef-spdx-tool-1.2"
When there an element in the external document referenced, the syntax is externalDocumentId:SPDXRef-XXX where the SPDXRef-XXX is the SPDX reference in the external document.
- spdxElementId: "SPDXRef-DOCUMENT"
This is a similar approach to how the Tag/Value fields are parsed.
Note that this is an area of active discussion for the 3.0 Spec. We all are finding the ExternalDocumentRef’s confusing and we will be renaming the fields at a minimum. There is also some discussion on changing the model related to external document ref’s. We will probably be discussing this on upcoming SPDX tech calls. It has been proposed that we reintroduce the ExternalSpdxElement in the model for 3.0.
The SPDX YAML example includes an external document reference.
From: spdx@... <spdx@...> On Behalf Of Neubauer Stephanie (IOC/PDL4) via lists.spdx.org
Sent: Wednesday, January 13, 2021 4:40 AM
Cc: Schuberth Sebastian (IOC/PDL1) <Sebastian.Schuberth@...>
Subject: [spdx] Referencing external spdx documents with package information from project.spdx.yml
I am currently working on an issue in the Oss-Review-Toolkit  to support referring to external SPDX files from a `project.spdx.yml` .
I am currently checking out the spdx-specs  and the spdx schema  to create a working example of an ´project.spdx.yml` which has a package referencing an external SPDX document for its metadata.
In the example file provided in  I could not find a reference of that sort.
I have tried using `externalRefs` parameter of a package in the spdx document, but didn’t achieve actually referencing an external spdx document.
In the last paragraph of the spdx/tools repository  I have found a mention of “ExternalSpdxElement” that is not in the 2.0 model anymore. Has this been replaced in some way?
I wondered if there was an actual example in one of the documentations or repositories that shows:
A project.spdx.yml listing a package
and in that package metadata refer to
additional metadata in the form of a package.spdx.yml (or something similar)
Here is a slightly changed project.spdx.yml (originally from ) that shows how I would imagine the mechanisms working:
- "Organization: Example Inc."
- "Person: Thomas Steenbergen"
- SPDXID: "SPDXRef-Package-xyz"
description: "Awesome product created by Example Inc."
copyrightText: "Copyright (C) 2020 Example Inc."
licenseDeclared: "Apache-2.0 AND curl AND LicenseRef-Proprietary-ExampleInc"
- SPDXID: "SPDXRef-Package-curl"
referenceLocator: "curl:7.70.0" (or similar way of giving an identifier)
referenceType: https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/package/libs/curl/package.spdx.yml (alternatively a relative path to the same file locally could be given here)
OR: - SPDXID: "SPDXRef-Package-curl"
documentUri: https://github.com/oss-review-toolkit/ort/blob/master/analyzer/src/funTest/assets/projects/synthetic/spdx/package/libs/curl/package.spdx.yml (alternatively a relative path to the same file locally could be given here)
- spdxElementId: "SPDXRef-Package-xyz"
Mit freundlichen Grüßen / Best regards