1. Spdx
  2. Topics

SPDXID #spdx

Patil, Sandeep
 

Hi , 
I have query regarding SPDXID , Can this be expressed along with CPE or pURL something like 

"SPDXRef-[cpe id]"   or  "SPDXRef-[pURL]"

Any further guidance on this will help. 

Regards
Sandeep 

Gary O'Neall
 

Hi Sandeep – Moving the conversation over to the SPDX-tech mailing list.

 

Unfortunately, adding in a CPE ID or pURL would include characters disallowed in the SPDX ID.

 

Fortunately, there is a way to express the pURL and CPE ID in the SPDX Package using the ExternalRef property.  If you add these properties, tools such as the SPDX to OSV will pick up the references and use them to uniquely identify the packages.

 

Here’s an example in JSON format for a CPE 2.3 ID:

 

  "packages" : [ {

                   "SPDXID" : "SPDXRef-Package",

                   "externalRefs" : [ {

                     "referenceCategory" : "SECURITY",

                     "referenceLocator" : "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*",

                     "referenceType" : "cpe23Type"

                   },  …

 

See the ExternalRef subsection of the spec and the External Repository Identifiers Annex for more details.

 

Regards,
Gary

 

From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, May 16, 2022 9:06 AM
To: spdx@...
Subject: [spdx] SPDXID #spdx

 

Hi , 
I have query regarding SPDXID , Can this be expressed along with CPE or pURL something like 

"SPDXRef-[cpe id]"   or  "SPDXRef-[pURL]"

Any further guidance on this will help. 

Regards
Sandeep 

Patil, Sandeep
 

Hi Gary, 
Thanks for reply, then SPDXID will be mostly internal ID and can not be referenced externally, Do you think this might need some change in SPDXID documentation statement  ? 

"Uniquely identify any element in an SPDX document which may be referenced by other elements. These may be referenced internally and externally with the addition of the SPDX document identifier."


Regards
Sandeep 

Gary O'Neall
 

Hi Sandeep,

 

Although the SPDX ID is internal to SPDX documents, you can refer to an SPDX ID in a different document using the SPDX Document identifier as defined in section 6.6.  So the statement below is accurate but could probably be made a bit clearer.

 

Regards,
Gary

 

From: spdx@... <spdx@...> On Behalf Of Patil, Sandeep via lists.spdx.org
Sent: Monday, May 16, 2022 11:44 PM
To: spdx@...
Subject: Re: [spdx] SPDXID #spdx

 

Hi Gary, 
Thanks for reply, then SPDXID will be mostly internal ID and can not be referenced externally, Do you think this might need some change in SPDXID documentation statement  ? 

"Uniquely identify any element in an SPDX document which may be referenced by other elements. These may be referenced internally and externally with the addition of the SPDX document identifier."


Regards
Sandeep 

1 - 4 of 4