Gary O'Neall

icon indicating a website link sourceauditor.com icon indicating an email [email protected]

icon company Source Auditor Inc. icon location San Francisco Bay Area icon location Contributor to Linux Foundation @spdx and @OpenChain-Project projects. Consultant providing technical due diligence and open source compliance services.

Results 1059 comments of Gary O'Neall

Potential encoding issue from opening a json file in validator.py under spdx_validator

Haven't heard a response since April - closing

Invalid TagExample 2.3: List of cross references separated with comma

@swinslow - I recall a similar issue with a difference between how the Golang tools and Java tools handled multiple list items in tag/value - do you recall the details...

Invalid TagExample 2.3: List of cross references separated with comma

In 3.0+ we will have a significantly different tag/value representation. Closing this issue as no longer relavent. cc: @kestewart

What is the correct way to specify the ID of the externalDocumentRef in RDF?

The `rdf:ID="DocumentRef-spdx-tool-1.2` and `rdf:about="http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#DocumentRef-spdx-tool-1.2` are equivalent per the RDF spec if the SPDX document namspace is `http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301` (see [this stackoverflow article](rdf:about="http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301#DocumentRef-spdx-tool-1.2) for an explanation). I don't believe the [SPDXRdfExample-v2.3.spdx.rdf.xml](https://github.com/spdx/spdx-spec/blob/efa69656db9db4fcc871de563cbbd104fc1e33c3/examples/SPDXRdfExample-v2.3.spdx.rdf.xml#L1916-L1927) should...

What is the correct way to specify the ID of the externalDocumentRef in RDF?

This is resolved in 3.0

SPDX documentation not in sync with schema

It looks like it is included in the required array here: https://github.com/spdx/spdx-spec/blob/8a595028b0386138c84f7188237787c374f6a6cf/schemas/spdx-schema.json#L748

SPDX documentation not in sync with schema

> Yes, it is mentioned as a required field in [development/v2.3.1](https://github.com/spdx/spdx-spec/blob/development/v2.3.1/schemas/spdx-schema.json) but not in [development/v2.3](https://github.com/spdx/spdx-spec/blob/development/v2.3/schemas/spdx-schema.json) which created confusion. Good point. This must have been an issue identified in 2.3.0 and...

Correct way to represent repository location for a package in SBOM.

@Moullisha does "repository location" refer to A) a file or directory within a repository or B) the location of the repository itself (e.g. URL)? If A) then I would recommend...

Correct way to represent repository location for a package in SBOM.

> @goneall externalRef has few allowed values for category like ["OTHER", "PERSISTENT_ID", "PERSISTENT-ID", "SECURITY", "PACKAGE_MANAGER"]. The only category value that seems suitable when providing repository location is OTHER. But this...

Correct way to represent repository location for a package in SBOM.

@Moullisha If you have a repository URL, there are a couple of ways you can represent that location. The preferred approach would be to construct a package URL with the...