tools-python icon indicating copy to clipboard operation
tools-python copied to clipboard

Published 20 hours ago verified publisher icon spdx

Adding NOASSERTION/NONE to DocumentRef in relationships as per the spdx v2.3 spec

Open ShubhankarVN opened this issue 1 year ago • 3 comments

In Table 69 of Chapter 11 of the SPDX V2.3 Spec, the Format section states that NONE and NOASSERTION are acceptable in the related spdx element field.

["DocumentRef-"[idstring]":"]SPDXID <relationship> ["DocumentRef-"[idstring]":"]SPDXID | NONE | NOASSERTION where "DocumentRef-"[idstring]":" is an optional reference to an external SPDX document as described in 6.6 where SPDXID is a string containing letters, numbers, . and/or -. as described in 6.3, 7.2, 8.2. where is one of the documented relationship types in Table 68. where NONE can be used to explicitly indicate there are NO other relationships. where NOASSERTION can be used to explicitly indicate it is not clear if there are relationships that may apply or not.

The sample relationship I'm trying is, { "spdxElementId": "SPDXRef-Package-1", "relatedSpdxElement": "DocumentRef-1:NOASSERTION", "relationshipType": "DESCRIBED_BY" } { "spdxElementId": "SPDXRef-Package-1", "relatedSpdxElement": "DocumentRef-1:NONE", "relationshipType": "DESCRIBED_BY" }

This gives me an error stating, the internal SPDX id part of spdx_id must only contain letters, numbers, "." and "-" and must begin with "SPDXRef-", but is: NOASSERTION' and the internal SPDX id part of spdx_id must only contain letters, numbers, "." and "-" and must begin with "SPDXRef-", but is: NONE'

Have I interpreted the spec incorrectly or should NOASSERTION and NONE be allowed as per the sample relationship I have mentioned above?

spdx_tools = 0.8.2 python = 3.10.11

ShubhankarVN avatar Dec 12 '23 15:12 ShubhankarVN

@ShubhankarVN I believe the syntax allows for NONE and NOASSERTION without the preceeding DocumentRef-.

So the following should work:

{
"spdxElementId": "SPDXRef-Package-1",
"relatedSpdxElement": "NOASSERTION",
"relationshipType": "DESCRIBED_BY"
}
{
"spdxElementId": "SPDXRef-Package-1",
"relatedSpdxElement": "NONE",
"relationshipType": "DESCRIBED_BY"
}

goneall avatar Dec 12 '23 21:12 goneall

The scenario we are trying is where the Package and External Document Refs are related and both IDs are known, but the exact internal SPDXID that's part of the DocumentRef is not known.

In the below example, SPDXRef-Package-1 and DocumentRef-1 are known IDs, but the exact internal SPDXID that's part of DocumentRef-1 is unknown, hence NOASSERTION/NONE.

E.g.: { "spdxElementId": "SPDXRef-Package-1", "relatedSpdxElement": "DocumentRef-1:NOASSERTION", "relationshipType": "DESCRIBED_BY" }

What can be done in this scenario?

ShubhankarVN avatar Dec 13 '23 04:12 ShubhankarVN

What can be done in this scenario?

The spec currently doesn't support referring to an unknown SPDX ID within an external document.

What I would suggest is creating a relationship to the document itself which has a pre-defined known ID - e.g.:

{
"spdxElementId": "SPDXRef-Package-1",
"relatedSpdxElement": "DocumentRef-1:SPDXRef-DOCUMENT",
"relationshipType": "DESCRIBED_BY"
}

goneall avatar Dec 13 '23 17:12 goneall