Hi Sandeep – Moving the conversation over to the SPDX-tech mailing list.
Unfortunately, adding in a CPE ID or pURL would include characters disallowed in the SPDX ID. Fortunately, there is a way to express the pURL and CPE ID in the SPDX Package using the ExternalRef property. If you add these properties, tools such as the SPDX to OSV <https://github.com/spdx/spdx-to-osv> will pick up the references and use them to uniquely identify the packages. Here’s an example in JSON format for a CPE 2.3 ID: "packages" : [ { "SPDXID" : "SPDXRef-Package", "externalRefs" : [ { "referenceCategory" : "SECURITY", "referenceLocator" : "cpe:2.3:a:pivotal_software:spring_framework:4.1.0:*:*:*:*:*:*:*", "referenceType" : "cpe23Type" }, … See the ExternalRef <https://spdx.github.io/spdx-spec/package-information/#721-external-reference-field> subsection of the spec and the External Repository Identifiers <https://spdx.github.io/spdx-spec/external-repository-identifiers/> Annex for more details. Regards, Gary From: [email protected] <[email protected]> On Behalf Of Patil, Sandeep via lists.spdx.org Sent: Monday, May 16, 2022 9:06 AM To: [email protected] Subject: [spdx] SPDXID #spdx Hi , I have query regarding SPDXID , Can this be expressed along with CPE or pURL something like "SPDXRef-[cpe id]" or "SPDXRef-[pURL]" Any further guidance on this will help. Regards Sandeep -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4512): https://lists.spdx.org/g/Spdx-tech/message/4512 Mute This Topic: https://lists.spdx.org/mt/91144655/21656 Mute #spdx:https://lists.spdx.org/g/Spdx-tech/mutehashtag/spdx Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
