spdx-spec icon indicating copy to clipboard operation
spdx-spec copied to clipboard
verified publisher icon spdx

FileName: question about expected behavior

Open surendrapathak opened this issue 2 years ago • 2 comments

The 2.3 spec for File Information clearly asks for following format:

A relative filename with the root of the package archive or directory.

In general, every filename is preceded with a ./, see http://www.ietf.org/rfc/rfc3986.txt for syntax.

However, some tools (including trivy) produce absolute paths for containers. e.g.

FileName: /usr/lib/x86_64-linux-gnu/perl-base/unicore/lib/Age/V60.pl

Would this be considered an invalid value for the Filename?

surendrapathak avatar Apr 15 '23 03:04 surendrapathak

Would this be considered an invalid value for the Filename?

Yes.

This is a very common issue. We have "Docfests" somewhat regularly where tools builders compare SPDX output for the same target. We find inconsistencies in the the filename is relatively common. I would suggest reporting the issue to the tool provider and reference the spec. and this issue.

goneall avatar Apr 15 '23 05:04 goneall

Perfect. That's what I was guessing as well. Thanks for confirming @goneall !

surendrapathak avatar Apr 15 '23 05:04 surendrapathak

Closing this as resolved

goneall avatar Apr 04 '24 22:04 goneall