More completely, https://spdx.github.io/spdx-spec/v2.3/file-information/#81-file-name-field says:
Identify the full path and filename that corresponds to the file > information in this section. > Format: A relative filename with the root of the package archive or > directory. > In general, every filename is preceded with a ./, see > http://www.ietf.org/rfc/rfc3986.txt for syntax. So the syntax is a path "relative to the package archive or directory", not just a bare filename with a "./" prefix. Unfortunately the package name ("Provide the actual file name of the package, or path of the directory being treated as a package.") is optional but file name is required, which is confusing. Fortunately this corresponds to the SPDX 3 decision to NOT support downloadLocation property for File; i.e. files only have meaning in the context of packages. Presumably the same "name" requirements copy directly from 2.3 to 3.0. Question: Since 2.3 File name is required but Package name is optional -- is there any situation where a relative file name is meaningful without a base? If not, is Package name optional a bug / mistake? @Dick: Given a path, applications can submit just the filename portion in queries. On Fri, Feb 17, 2023 at 7:57 AM Dick Brooks < [email protected]> wrote: > Anthony, > > > > Based on our experiences, the presence of any path information creates > problems when searching NIST NVD that could result in false negatives, > during a risk assessment. We strip all path info from the filename before > submitting a NIST NVD vulnerability search request. > > > > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: [email protected] > > Tel: +1 978-696-1788 > > > > *From:* [email protected] <[email protected]> *On Behalf Of > *Anthony Harrison > *Sent:* Friday, February 17, 2023 7:03 AM > *To:* [email protected] > *Subject:* [spdx-tech] FileNames in SPDX File item > > > > Colleagues > > A couple of questions on files specified in a SPDX File item. > > According to the SPDX spec, the filename for a SPDX file is a relative > filename (prefixed by ./). - see > https://spdx.github.io/spdx-spec/v2.3/file-information/#81-file-name-field. > However providing a relative path doesn't help identify the source of the > actual location of the file. Where should the absolute path be specified (I > think we just need the root)? I have thought about putting the file path as > a FileComment but that is probably abusing the purpose of this field. > > Are we assuming that ALL files in SBOM are within the same file tree? I > have assumed that if I encounter a link in the tree, I would use the actual > file location rather than it's link but this is likely to be in another > part of the directory tree. If this is the case, would that mean we would > have to create a sep[arate SBOM for files in a different part of the > directory tree? > > Regards > > Anthony > > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4972): https://lists.spdx.org/g/Spdx-tech/message/4972 Mute This Topic: https://lists.spdx.org/mt/97026525/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
