@David, spot on – this is precisely what we do when submitting a query to NIST NVD, we strip everything, except the filename from the filename content.
Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of David Kemp Sent: Friday, February 17, 2023 11:08 AM To: [email protected] Subject: Re: [spdx-tech] FileNames in SPDX File item More completely, https://spdx.github.io/spdx-spec/v2.3/file-information/#81-file-name-field says: Identify the full path and filename that corresponds to the file information in this section. Format: A relative filename with the root of the package archive or directory. In general, every filename is preceded with a ./, see http://www.ietf.org/rfc/rfc3986.txt for syntax. So the syntax is a path "relative to the package archive or directory", not just a bare filename with a "./" prefix. Unfortunately the package name ("Provide the actual file name of the package, or path of the directory being treated as a package.") is optional but file name is required, which is confusing. Fortunately this corresponds to the SPDX 3 decision to NOT support downloadLocation property for File; i.e. files only have meaning in the context of packages. Presumably the same "name" requirements copy directly from 2.3 to 3.0. Question: Since 2.3 File name is required but Package name is optional -- is there any situation where a relative file name is meaningful without a base? If not, is Package name optional a bug / mistake? @Dick: Given a path, applications can submit just the filename portion in queries. On Fri, Feb 17, 2023 at 7:57 AM Dick Brooks <[email protected] <mailto:[email protected]> > wrote: Anthony, Based on our experiences, the presence of any path information creates problems when searching NIST NVD that could result in false negatives, during a risk assessment. We strip all path info from the filename before submitting a NIST NVD vulnerability search request. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > On Behalf Of Anthony Harrison Sent: Friday, February 17, 2023 7:03 AM To: [email protected] <mailto:[email protected]> Subject: [spdx-tech] FileNames in SPDX File item Colleagues A couple of questions on files specified in a SPDX File item. According to the SPDX spec, the filename for a SPDX file is a relative filename (prefixed by ./). - see https://spdx.github.io/spdx-spec/v2.3/file-information/#81-file-name-field. However providing a relative path doesn't help identify the source of the actual location of the file. Where should the absolute path be specified (I think we just need the root)? I have thought about putting the file path as a FileComment but that is probably abusing the purpose of this field. Are we assuming that ALL files in SBOM are within the same file tree? I have assumed that if I encounter a link in the tree, I would use the actual file location rather than it's link but this is likely to be in another part of the directory tree. If this is the case, would that mean we would have to create a sep[arate SBOM for files in a different part of the directory tree? Regards Anthony -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4973): https://lists.spdx.org/g/Spdx-tech/message/4973 Mute This Topic: https://lists.spdx.org/mt/97026525/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
