spdx-spec icon indicating copy to clipboard operation
spdx-spec copied to clipboard

Published 20 hours ago verified publisher icon spdx

Correct way to represent repository location for a package in SBOM.

Open Moullisha opened this issue 1 year ago • 9 comments

Hello,

Can someone provide insight into what could be the best way to mention the repository location for a package out of the two methods mentioned below: Method 1: Using sourceInfo field Method 2: Specifying the location under the files section and then associating it with an appropriate package using the CONTAINS relationship

In case none of the above methods is the correct way of doing it, please let us know what is recommended as per the SPDX standards?

For instance: In the example below, SPDXRef-Pkg-openssl-N-A-4092837 refers to an openssl package and SPDXRef-File-48482523-f refers to a file and later in the relationships section, a CONTAINS relationship has been specified b/w the package and the file.

{ "SPDXID": "SPDXRef-Pkg-openssl-N-A-4092837", "name": "openssl", "versionInfo": "N-A", "homepage": https://www.openssl.org/, "downloadLocation": "NOASSERTION", "copyrightText": "NOASSERTION", "licenseDeclared": "OpenSSL", "licenseConcluded": "OpenSSL", "supplier": "Organization: Undetermined", "licenseInfoFromFiles": [ (... omitting this rather long list ...) ], "packageVerificationCode": { "packageVerificationCodeValue": "b4e6fca9207b56ee9bbcdb547ba5c2e3b4df6341" } },

"files": [
{
    "SPDXID": "SPDXRef-File-48482523-f",
    "fileName": "cos-2.5.132/vendor/skopeo.tar",
    "checksums": [
        {
            "algorithm": "MD5",
            "checksumValue": "f5eb33ac9bee848e72f6931c30420031"
        },
        {
            "algorithm": "SHA1",
            "checksumValue": "e7066b56ee35e39cf0cc12fe81232decd8ee9ec6"
        }
    ],

{ "spdxElementId": "SPDXRef-Pkg-cos-2.5.132-5277", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-Pkg-openssl-N-A-4092837" }, { "spdxElementId": "SPDXRef-Pkg-openssl-N-A-4092837", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-File-48482523-f" },

Thanks in advance!

Moullisha avatar Jan 31 '24 07:01 Moullisha

@Moullisha does "repository location" refer to A) a file or directory within a repository or B) the location of the repository itself (e.g. URL)?

If A) then I would recommend using the packageFileName property on the Package. For B) you can use the externalRef property - the specific format would depend on the type of repository. Package URLs are a bit more generalized and preferred by many consumers of SPDX.

If a package includes (contains) sub-packages, you should also use a contains relationship to make it clear the package includes the subpackge in the distribution.

goneall avatar Jan 31 '24 11:01 goneall

@goneall externalRef has few allowed values for category like ["OTHER", "PERSISTENT_ID", "PERSISTENT-ID", "SECURITY", "PACKAGE_MANAGER"]. The only category value that seems suitable when providing repository location is OTHER. But this can be confusing in cases the externalRef with OTHER has a value other than repo location.

Moullisha avatar Feb 01 '24 04:02 Moullisha

@goneall externalRef has few allowed values for category like ["OTHER", "PERSISTENT_ID", "PERSISTENT-ID", "SECURITY", "PACKAGE_MANAGER"]. The only category value that seems suitable when providing repository location is OTHER. But this can be confusing in cases the externalRef with OTHER has a value other than repo location.

@Moullisha - can you clarify what you mean by "repository location"? I'm not sure if you mean a location WITHIN a repository or the location OF a repository (e.g. URL).

goneall avatar Feb 01 '24 22:02 goneall

@goneall Repository URL here refers to the github repository path of a project to which module belongs

Moullisha avatar Feb 03 '24 18:02 Moullisha

@Moullisha If you have a repository URL, there are a couple of ways you can represent that location.

The preferred approach would be to construct a package URL with the format as defined in the purl spec.

You would then add it as an externalRef of type Package-Manager. The reason for the Package-Manager category is the spec placed purls within that category.

Sometimes it makes sense to use the Git URL in the download location if the package is checked out directly from Git, but this is less common.

goneall avatar Feb 05 '24 09:02 goneall

@goneall The repository location here refers to the github repository of the product where a particular module is being used. For instance, if I use node.js in one of my projects, is there some field in SBOM to store the github repo location of the project in which node.js is being used?

Moullisha avatar Feb 12 '24 16:02 Moullisha

Since you are referring to a separate package (in your example, node.js), I would suggest creating a separate SPDX package to represent node.js and create a relationship between the main package and the dependency (e.g. the DEPENDS_ON relationship). In the dependent package fields, you can add the package URL for the dependency to point to the github location.

goneall avatar Feb 12 '24 19:02 goneall 

  "packages": [
    {
      "SPDXID": "SPDXRef-Pkg-Product-3.134-4027901",
      "name": "adduser",
      "filesAnalyzed": false,
      "description": "apko container image",
      "downloadLocation": "NOASSERTION",
      "checksums": [
        {
          "algorithm": "SHA256",
          "checksumValue": "d62fea9d5f46122c0355f10e54d500fda294e15088cd1a1a06bdf25af537859a"
        }
      ],
    },
    {
      "SPDXID": "SPDXRef-Pkg-nodejs-2.6.1-4027993",
      "name": "nodejs",
      "versionInfo": "274cbd68f8b7a11427cd8bba73c2aface6499d36",
      "filesAnalyzed": false,
      "description": "Image configuration source",
      "downloadLocation": "https://github.com/chainguard-images/images-private@274cbd68f8b7a11427cd8bba73c2aface6499d36",
      "checksums": [
        {
          "algorithm": "SHA1",
          "checksumValue": "274cbd68f8b7a11427cd8bba73c2aface6499d36"
        }
      ]
    }
    ]

"relationships": [
{
      "spdxElementId": "SPDXRef-Pkg-Product-3.134-4027901",
      "relatedSpdxElement": "SPDXRef-Pkg-nodejs-2.6.1-4027993",
      "relationshipType": "CONTAINS"
    }
]

I would suggest creating a separate SPDX package to represent node.js and create a relationship between the main package and the dependency (e.g. the DEPENDS_ON relationship). In the dependent package fields, you can add the package URL for the dependency to point to the github location.

In the example above, SPDXRef-Pkg-Product-3.134-4027901 refers to my product, SPDXRef-Pkg-nodejs-2.6.1-4027993 refers to nodejs package being used in my project. A CONTAINS relationship is defined b/w the product and nodejs to demonstrate dependency b/w the two.

But if I want to include the github repo url of my project in which nodejs has been used, is there some field under Package Information section that I can use?

Moullisha avatar Feb 13 '24 05:02 Moullisha

But if I want to include the github repo url of my project in which nodejs has been used, is there some field under Package Information section that I can use?

If your project is in a GitHub repo, you can add an external reference using a package URL for your git repo. It would not be specific to the nodejs.

For the nodejs, you can have a separate external reference pointing to the git repository for that project.

goneall avatar Feb 13 '24 05:02 goneall

I believe this has been answered - @Moullisha if you have further questions, feel free to re-open or open a new issue

goneall avatar Apr 04 '24 22:04 goneall