spdx-spec
spdx-spec copied to clipboard
spdx
Finding SPDX files for external documents
We have a use case where we are generating multiples SPDX files that in aggregate describe a single system. These documents are linked together using a complex combination of external document references; however it is difficult for end users to find the indivual files when walking through these documents; the documents themselves are have a documentNamespace with a unique identifier, but this doesn't correspond to the file name of the SPDX document. We need some way of annotating what the actual file name is so that users can walk the tree of documents and know when what file to open when following a reference.
One possible short term solution would be to use the Annotation property for the Document with an Annotation Type "OTHER" and a comment field that includes the filename (e.g. FileLocation: /spdxdocs/mydoc.spdx.json).
Longer term we could add a location property in the External Document Reference fields. If we do take this approach, we would probably use a URL format to allow for local and network file locations.
Right, we've currently done an out-of-band solution to this problem by creating an (non-SPDX) "index.json" file that users can open. It maps document namespaces to file names (example here). Being able to group multiple SPDX documents together in a single SBoM for distribution would be really helpful (currently, we just shove them all in a tar file)
This is an SPDX 2.X problem only; SPDX 3 makes it much easier to combine multiple documents together which makes this unnecessary
This is an SPDX 2.X problem only; SPDX 3 makes it much easier to combine multiple documents together which makes this unnecessary
Thanks @JPEWdev - I'll close this issue