You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
both seems like equivalents for specifying what spdx file describes. According to https://github.com/spdx/spdx-spec/blob/development/v2.3/schemas/spdx-schema.json and spdx/spdx-spec#395, it seems that package-ref described in relatedSpdxElement ("SPDXRef-RootPackage") should be used as root package of resulting cyclonedx document, metadata.component. Currently it's ignored right now.
As I understand the only caveat here is a multiple components in documentDescribes/DESCRIBES relationships. Could this relationship propagated to metadata.component in case of single value?
B) Another thing that we have interest in is "externalRefs" property that are also completely ignored in case spdx->cyclonedx conversion, but filled in backward conversion.
I can provide PRs for both cases.
For A case I'd like to start discussion, maybe I don't see some things?
For B case I think it should be extended to support all "externalRefs".
The text was updated successfully, but these errors were encountered:
A) We are trying to consume spdx files generated by https://github.com/microsoft/sbom-tool.
It generates files with following snippets:
and
both seems like equivalents for specifying what spdx file describes. According to https://github.com/spdx/spdx-spec/blob/development/v2.3/schemas/spdx-schema.json and spdx/spdx-spec#395, it seems that package-ref described in relatedSpdxElement ("SPDXRef-RootPackage") should be used as root package of resulting cyclonedx document, metadata.component. Currently it's ignored right now.
As I understand the only caveat here is a multiple components in documentDescribes/DESCRIBES relationships. Could this relationship propagated to metadata.component in case of single value?
B) Another thing that we have interest in is "externalRefs" property that are also completely ignored in case spdx->cyclonedx conversion, but filled in backward conversion.
I can provide PRs for both cases.
For A case I'd like to start discussion, maybe I don't see some things?
For B case I think it should be extended to support all "externalRefs".
The text was updated successfully, but these errors were encountered: