Gary O'Neall
Gary O'Neall
@rakeshsrinivasa If you want to refer to packages in spdx_1 and spdx_2, you would use the `externalDocumentRefs` with document namespaces from spdx_1 and spdx_2. For example: ``` externalDocumentRefs: - externalDocumentId:...
A couple other things in looking through the attached files: - For document SPDX ID - it must be SPDXRef-DOCUMENT per the [spec](https://spdx.github.io/spdx-spec/v2.3/document-creation-information/#63-spdx-identifier-field) - You should not use the `CONTAINS`...
@rakeshsrinivasa There isn't a field for the local path of the externally referenced files. We discussed adding it to the spec and decided not to since files may move etc....
> Btwn did you get a chance to look at the attached github.zip ? Any comments on that Just briefly, see the [comment above](https://github.com/spdx/tools-java/issues/131#issuecomment-1622267989) for some feedback.
@rakeshsrinivasa Just checking to see if you still had any questions on this issue - you can also post to the [SPDX Tech team mailing list](https://lists.spdx.org/g/spdx-tech) for additional support with...
@rishabh-bhatnagar The only issue I see with the knakk/rdf is lack of support for encoding RDF/XML which is used in the Java SPDX tools. If we can find a library...
> This SPDX document name and prefix (at META-INF/spdx/) are designed to work well with fat JAR/shadow merging. I'm not aware of standards yet about where to place this document...
> Maven central will accept spdx documents as long as they follow the naming convention, and include the necessary signatures/checksums. I don't have any experience with embedding the sbom doc...
Moving this to 3.1 milestone
Resolved - closing