sig-security-sbom icon indicating copy to clipboard operation
sig-security-sbom copied to clipboard
verified publisher icon cdfoundation

remove snippets association from AbstractFile

Open goneall opened this issue 5 years ago • 2 comments

Remove the snippets attribute from AbstractFile and only have a one way association from snippet to the file since it may be difficult for a file to know all snippets associated with it at SBOM construction time.

This would also help with SPDX compatibility.

goneall avatar Jan 09 '20 19:01 goneall

the association was only meant as a way to indicate that the snippet can't exists without a File or a ReferencedFile in the document; it doesn't say there aren't any other snippets from the same File or ReferencedFile (these are simply not of interest in this document and the model doesn't impose to know all other potential snippets)

CASTResearchLabs avatar Jan 14 '20 14:01 CASTResearchLabs

the association was only meant as a way to indicate that the snippet can't exists without a File or a ReferencedFile in the document

In SPDX, we allow the snippet to reference a file in an external document. The requirement for a file is taken care of by the mandatory field from the snippet back to the file.

The problem I stated above still remains. Perhaps something we need to discuss real-time since I may not be clearly stating the issue or not understanding the model.

goneall avatar Jan 14 '20 19:01 goneall