P.S. Since SPDX 3 is Element-based, should the File element contain a package: Package property, to avoid requiring that a "contains" Relationship exist for every File?
On Fri, Feb 17, 2023 at 11:08 AM David Kemp via lists.spdx.org <dk190a= [email protected]> wrote: > More completely, > https://spdx.github.io/spdx-spec/v2.3/file-information/#81-file-name-field > says: > > Identify the full path and filename that corresponds to the file >> information in this section. >> Format: A relative filename with the root of the package archive or >> directory. >> In general, every filename is preceded with a ./, see >> http://www.ietf.org/rfc/rfc3986.txt for syntax. > > > So the syntax is a path "relative to the package archive or directory", > not just a bare filename with a "./" prefix. Unfortunately the package > name ("Provide the actual file name of the package, or path of the > directory being treated as a package.") is optional but file name is > required, which is confusing. > > Fortunately this corresponds to the SPDX 3 decision to NOT support > downloadLocation property for File; i.e. files only have meaning in the > context of packages. Presumably the same "name" requirements copy directly > from 2.3 to 3.0. > > Question: Since 2.3 File name is required but Package name is optional -- > is there any situation where a relative file name is meaningful without a > base? If not, is Package name optional a bug / mistake? > > @Dick: Given a path, applications can submit just the filename portion in > queries. > > > On Fri, Feb 17, 2023 at 7:57 AM Dick Brooks < > [email protected]> wrote: > >> Anthony, >> >> >> >> Based on our experiences, the presence of any path information creates >> problems when searching NIST NVD that could result in false negatives, >> during a risk assessment. We strip all path info from the filename before >> submitting a NIST NVD vulnerability search request. >> >> >> >> Thanks, >> >> >> >> Dick Brooks >> >> >> >> *Active Member of the CISA Critical Manufacturing Sector, * >> >> *Sector Coordinating Council – A Public-Private Partnership* >> >> >> >> *Never trust software, always verify and report! >> <https://reliableenergyanalytics.com/products>* ™ >> >> http://www.reliableenergyanalytics.com >> >> Email: [email protected] >> >> Tel: +1 978-696-1788 >> >> >> >> *From:* [email protected] <[email protected]> *On Behalf >> Of *Anthony Harrison >> *Sent:* Friday, February 17, 2023 7:03 AM >> *To:* [email protected] >> *Subject:* [spdx-tech] FileNames in SPDX File item >> >> >> >> Colleagues >> >> A couple of questions on files specified in a SPDX File item. >> >> According to the SPDX spec, the filename for a SPDX file is a relative >> filename (prefixed by ./). - see >> https://spdx.github.io/spdx-spec/v2.3/file-information/#81-file-name-field. >> However providing a relative path doesn't help identify the source of the >> actual location of the file. Where should the absolute path be specified (I >> think we just need the root)? I have thought about putting the file path as >> a FileComment but that is probably abusing the purpose of this field. >> >> Are we assuming that ALL files in SBOM are within the same file tree? I >> have assumed that if I encounter a link in the tree, I would use the actual >> file location rather than it's link but this is likely to be in another >> part of the directory tree. If this is the case, would that mean we would >> have to create a sep[arate SBOM for files in a different part of the >> directory tree? >> >> Regards >> >> Anthony >> >> > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4974): https://lists.spdx.org/g/Spdx-tech/message/4974 Mute This Topic: https://lists.spdx.org/mt/97026525/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
