Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: SPDX relationships in sbom #6868

Closed
wants to merge 1 commit into from
Closed

fix: SPDX relationships in sbom #6868

wants to merge 1 commit into from

Conversation

antonbauhofer
Copy link
Contributor

@antonbauhofer antonbauhofer commented Oct 5, 2023
edited
Loading

This adjusts the relationships in an SPDX sbom, created with npm sbom, to match the explanations at https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/

To reflect the correct directionality, the order of the relationship references is swapped and the following types are changed:
HAS_PREREQUISITE -> PREREQUISITE_FOR
DEPENDS_ON -> DEPENDENCY_OF

Fixes #6867

@antonbauhofer
Fix SPDX relationships in sbom
a151bab 
This adjusts the relationships to match the explanations at https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/

Fixes npm#6867

Signed-off-by: Anton Bauhofer <anton.bauhofer@tngtech.com>
@antonbauhofer antonbauhofer requested a review from a team as a code owner October 5, 2023 07:48
@antonbauhofer antonbauhofer changed the title Fix SPDX relationships in sbom fix: SPDX relationships in sbom Oct 5, 2023
@wraithgar
Copy link
Member

Did you read this conversation?

@wraithgar
Copy link
Member

Closing as per the conversation in #6867

@wraithgar wraithgar closed this Oct 5, 2023
@antonbauhofer
Copy link
Contributor Author

Did you read this conversation?

Yes, the PR is based on this conversation.
As @maxhbr pointed out, "the directionality is implied by the spdxElementId/relatedSpdxElement fields, in combination with the type of the relationship". When checking the relationships with a concrete example, I noticed that some do indeed point in the wrong direction. So, we fix it here.
As @bdehamer pointed out, "many of the types don't have a supported inverse". For that reason, I chose to replace
HAS_PREREQUISITE -> PREREQUISITE_FOR
DEPENDS_ON -> DEPENDENCY_OF
so we can keep the order of the references consistent.

@maxhbr
Copy link

maxhbr commented Oct 5, 2023

@wraithgar : the conversation you linked was not resolved. It was a Problem with the PR that was pointed out, but it got merged without fixing.

My last comment #6801 was probably confusing. I wanted to say that this line is probably correct, but the others are still inconsistent and wrong.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] Relationships in SPDX sbom pointing in wrong direction
3 participants
@antonbauhofer @wraithgar @maxhbr