Re: SPDXID #spdx


Gary O'Neall
 

Hi Sandeep – Moving the conversation over to the SPDX-tech mailing list.

 

Unfortunately, adding in a CPE ID or pURL would include characters disallowed in the SPDX ID.

 

Fortunately, there is a way to express the pURL and CPE ID in the SPDX Package using the ExternalRef property.  If you add these properties, tools such as the SPDX to OSV will pick up the references and use them to uniquely identify the packages.

 

Here’s an example in JSON format for a CPE 2.3 ID:

 

  "packages" : [ {

                   "SPDXID" : "SPDXRef-Package",

                   "externalRefs" : [ {

                     "referenceCategory" : "SECURITY",

                     "referenceLocator" : "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*",

                     "referenceType" : "cpe23Type"

                   },  …

 

See the ExternalRef subsection of the spec and the External Repository Identifiers Annex for more details.

 

Regards,
Gary

 

From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, May 16, 2022 9:06 AM
To: spdx@...
Subject: [spdx] SPDXID #spdx

 

Hi , 
I have query regarding SPDXID , Can this be expressed along with CPE or pURL something like 

"SPDXRef-[cpe id]"   or  "SPDXRef-[pURL]"

Any further guidance on this will help. 

Regards
Sandeep 

Join spdx@lists.spdx.org to automatically receive all group messages.