How can i refer 2 spdxs in third spdx file and access all the packages information from 3rd spdx file

Question

How can i refer 2 spdxs in third spdx file and access all the packages information from 3rd spdx file

rakeshsrinivasa opened this issue 2 years ago · 8 comments

Suppose Assume that i have a spdx file called "spdx_1.yaml" and another one called "spdx_2.yaml" . Both these spdx files has certain packages. Now i want to create another spdx file (call spdx_3.yaml) which just refers spdx_1 and spdx2 yaml files available locally in the same folder.

Now using spdx-tools java i need to access all the packages available in spdx_1 and spdx_2 yamls Via spdx_3.yaml.

Below is my questions
1.
I am facing difficulties in forming spdx_3.yaml .Please do verify and help me
github.zip

How can i access all the packages present in spdx_1 and spdx_2 yaml via spdx_3.yaml in spdx-tools java

Thanks in advance

Answer 1 · 2023-07-05T16:34:15.000Z

@goneall Any comments/suggestions on above ?

Answer 2 · 2023-07-05T18:25:39.000Z

@rakeshsrinivasa If you want to refer to packages in spdx_1 and spdx_2, you would use the externalDocumentRefs with document namespaces from spdx_1 and spdx_2. For example:

externalDocumentRefs:
  - externalDocumentId: "DocumentRef-spdx_1"
    checksum:
      algorithm: "SHA1"
      checksumValue: "[the checksum for spdx_1 yaml file]"
    spdxDocument: "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301"

You would then refer to the package using the syntax [DocumentRef]:[SpdxID], for example: DocumentRef-spdx_1:SPDXRef-Package-1.

Answer 3 · 2023-07-05T18:29:11.000Z

A couple other things in looking through the attached files:

For document SPDX ID - it must be SPDXRef-DOCUMENT per the spec
You should not use the CONTAINS relationship for the SPDX Document as it doesn't really contain anything, it just describes things - so you should use the DESCRIBES relationship. Packages can contain things, so maybe you want to have the SPDX Document describe a package that contains other packages or files.

Answer 4 · 2023-07-05T18:33:02.000Z

@goneall In the below

externalDocumentRefs:

externalDocumentId: "DocumentRef-spdx_1"
checksum:
algorithm: "SHA1"
checksumValue: "[the checksum for spdx_1 yaml file]"
spdxDocument: "http://spdx.org/spdxdocs/spdx-example-444504E0-4F89-41D3-9A0C-0305E82C3301"

Where am i specifying the local path of spdx_1 or spdx_2 file . How does the spdx_3 yaml file determine which local file it has to refer ?

Answer 5 · 2023-07-05T18:34:51.000Z

@goneall Btwn did you get a chance to look at the attached github.zip ? Any comments on that

Answer 6 · 2023-07-05T18:36:21.000Z

@rakeshsrinivasa There isn't a field for the local path of the externally referenced files. We discussed adding it to the spec and decided not to since files may move etc. You can probably add an Annotation or a comment to capture this.

Answer 7 · 2023-07-05T18:37:01.000Z

Btwn did you get a chance to look at the attached github.zip ? Any comments on that

Just briefly, see the comment above for some feedback.

Answer 8 · 2023-12-17T23:58:40.000Z

@rakeshsrinivasa Just checking to see if you still had any questions on this issue - you can also post to the SPDX Tech team mailing list for additional support with the spec.