Anthony,
Based on our experiences, the presence of any path information creates problems when searching NIST NVD that could result in false negatives, during a risk assessment. We strip all path info from the filename before submitting a NIST NVD vulnerability search request. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Anthony Harrison Sent: Friday, February 17, 2023 7:03 AM To: [email protected] Subject: [spdx-tech] FileNames in SPDX File item Colleagues A couple of questions on files specified in a SPDX File item. According to the SPDX spec, the filename for a SPDX file is a relative filename (prefixed by ./). - see https://spdx.github.io/spdx-spec/v2.3/file-information/#81-file-name-field. However providing a relative path doesn't help identify the source of the actual location of the file. Where should the absolute path be specified (I think we just need the root)? I have thought about putting the file path as a FileComment but that is probably abusing the purpose of this field. Are we assuming that ALL files in SBOM are within the same file tree? I have assumed that if I encounter a link in the tree, I would use the actual file location rather than it's link but this is likely to be in another part of the directory tree. If this is the case, would that mean we would have to create a sep[arate SBOM for files in a different part of the directory tree? Regards Anthony -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4971): https://lists.spdx.org/g/Spdx-tech/message/4971 Mute This Topic: https://lists.spdx.org/mt/97026525/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
