tools-java icon indicating copy to clipboard operation
tools-java copied to clipboard

Published 20 hours ago verified publisher icon spdx

How can i refer 2 spdxs in third spdx file and access all the packages information from 3rd spdx file

Open rakeshsrinivasa opened this issue 1 year ago • 8 comments

Suppose Assume that i have a spdx file called "spdx_1.yaml" and another one called "spdx_2.yaml" . Both these spdx files has certain packages. Now i want to create another spdx file (call spdx_3.yaml) which just refers spdx_1 and spdx2 yaml files available locally in the same folder.

Now using spdx-tools java i need to access all the packages available in spdx_1 and spdx_2 yamls Via spdx_3.yaml.

Below is my questions 1. I am facing difficulties in forming spdx_3.yaml .Please do verify and help me github.zip

  1. How can i access all the packages present in spdx_1 and spdx_2 yaml via spdx_3.yaml in spdx-tools java

Thanks in advance

rakeshsrinivasa avatar Jun 29 '23 21:06 rakeshsrinivasa

@goneall Any comments/suggestions on above ?

rakeshsrinivasa avatar Jul 05 '23 16:07 rakeshsrinivasa

@rakeshsrinivasa If you want to refer to packages in spdx_1 and spdx_2, you would use the externalDocumentRefs with document namespaces from spdx_1 and spdx_2. For example:

externalDocumentRefs:
  - externalDocumentId: "DocumentRef-spdx_1"
    checksum:
      algorithm: "SHA1"
      checksumValue: "[the checksum for spdx_1 yaml file]"
    spdxDocument: "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301"

You would then refer to the package using the syntax [DocumentRef]:[SpdxID], for example: DocumentRef-spdx_1:SPDXRef-Package-1.

goneall avatar Jul 05 '23 18:07 goneall

A couple other things in looking through the attached files:

  • For document SPDX ID - it must be SPDXRef-DOCUMENT per the spec
  • You should not use the CONTAINS relationship for the SPDX Document as it doesn't really contain anything, it just describes things - so you should use the DESCRIBES relationship. Packages can contain things, so maybe you want to have the SPDX Document describe a package that contains other packages or files.

goneall avatar Jul 05 '23 18:07 goneall

@goneall In the below

externalDocumentRefs:

  • externalDocumentId: "DocumentRef-spdx_1" checksum: algorithm: "SHA1" checksumValue: "[the checksum for spdx_1 yaml file]" spdxDocument: "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301"

Where am i specifying the local path of spdx_1 or spdx_2 file . How does the spdx_3 yaml file determine which local file it has to refer ?

rakeshsrinivasa avatar Jul 05 '23 18:07 rakeshsrinivasa

@goneall Btwn did you get a chance to look at the attached github.zip ? Any comments on that

rakeshsrinivasa avatar Jul 05 '23 18:07 rakeshsrinivasa

@rakeshsrinivasa There isn't a field for the local path of the externally referenced files. We discussed adding it to the spec and decided not to since files may move etc. You can probably add an Annotation or a comment to capture this.

goneall avatar Jul 05 '23 18:07 goneall

Btwn did you get a chance to look at the attached github.zip ? Any comments on that

Just briefly, see the comment above for some feedback.

goneall avatar Jul 05 '23 18:07 goneall

@rakeshsrinivasa Just checking to see if you still had any questions on this issue - you can also post to the SPDX Tech team mailing list for additional support with the spec.

goneall avatar Dec 17 '23 23:12 goneall