tools-python icon indicating copy to clipboard operation
tools-python copied to clipboard

Published 20 hours ago verified publisher icon spdx

writers[rdf]: Add external package reference

Open quaresmajose opened this issue 3 years ago • 4 comments

'ExternalPackageRef' is optional but we need to write it when it exist

quaresmajose avatar Nov 19 '21 19:11 quaresmajose

@quaresmajose Thanks! Do you mind to add a test for this?

pombredanne avatar Dec 15 '21 14:12 pombredanne

@pombredanne: currently there is none test for for the writers[rdf] in the repo, the writers[tag] writes the CPE as expected. The ExternalPackageRef was introduced in https://github.com/spdx/tools-python/commit/eb0d2a4e681dab2d76f79441e2d9d36dde608b9c

quaresmajose avatar Jan 25 '22 18:01 quaresmajose

Any news on this? As far as I understand SPDX, external references are used to identify packages (like maven) for checking vulnerability databases. In my usecase, it's a make-or-break feature, given that I got it right with the intention behind the external references.

NikolaVeber avatar Sep 12 '22 15:09 NikolaVeber

If I remember correctly this field can be used to store the CPE that can be used to do CVE security scans.

quaresmajose avatar Oct 21 '22 17:10 quaresmajose

There is an open issue concerning this functionality for the jsonyamlxml writer. (#249)

meretp avatar Oct 27 '22 10:10 meretp

@quaresmajose Is it ok if I take over this PR? Looking back at comments, I think the functionality for jsonyamlxml and potentially unit tests are still missing.

nicoweidner avatar Nov 03 '22 11:11 nicoweidner

@nicoweidner sure feel free to change or take it according to your needs.

quaresmajose avatar Nov 03 '22 12:11 quaresmajose

@quaresmajose Thanks! I created a new PR https://github.com/spdx/tools-python/pull/266 which is already rebased on main, will add additional commits there

nicoweidner avatar Nov 03 '22 14:11 nicoweidner