Just echoing the comments below.
> Where should the absolute path be specified (I think we just need the root)? The relative file path is relative to the package the file is “contain”ed within. In a scenario where you have a package “contain”ing several files, you would typically have a Package File Name <https://spdx.github.io/spdx-spec/v2.3/package-information/#74-package-file-name-field> indicating the root for the contained file name fields if it is in a directory or the filename of an archive file where the root of the archive file is the root of the contained files. The Package Name <https://spdx.github.io/spdx-spec/v2.3/package-information/#71-package-name-field> field is just the name the Originator gave to the package, so it would not be used for forming the root path information. If there is a single file which is distributed independently (e.g. not contained within a package), you would use a Package rather than File and put your file path information in the Package File Name <https://spdx.github.io/spdx-spec/v2.3/package-information/#74-package-file-name-field> field and use File for the Primary Package Purpose <https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-purpose-field> . > Are we assuming that ALL files in SBOM are within the same file tree? Translating the question a bit into SPDX Speak, “Are we assuming that ALL files in the SPDX Document are within the same file tree?” No – the assumption is that ALL files with a CONTAINS relationship to the same package are in the same file tree. All files in an SBOM are in the same file tree only if the SBOM contains only one package which contains files. Best, Gary From: [email protected] <[email protected]> On Behalf Of David Kemp Sent: Friday, February 17, 2023 8:17 AM To: [email protected] Subject: Re: [spdx-tech] FileNames in SPDX File item P.S. Since SPDX 3 is Element-based, should the File element contain a package: Package property, to avoid requiring that a "contains" Relationship exist for every File? On Fri, Feb 17, 2023 at 11:08 AM David Kemp via lists.spdx.org <http://lists.spdx.org> <[email protected] <mailto:[email protected]> > wrote: More completely, https://spdx.github.io/spdx-spec/v2.3/file-information/#81-file-name-field says: Identify the full path and filename that corresponds to the file information in this section. Format: A relative filename with the root of the package archive or directory. In general, every filename is preceded with a ./, see http://www.ietf.org/rfc/rfc3986.txt for syntax. So the syntax is a path "relative to the package archive or directory", not just a bare filename with a "./" prefix. Unfortunately the package name ("Provide the actual file name of the package, or path of the directory being treated as a package.") is optional but file name is required, which is confusing. Fortunately this corresponds to the SPDX 3 decision to NOT support downloadLocation property for File; i.e. files only have meaning in the context of packages. Presumably the same "name" requirements copy directly from 2.3 to 3.0. Question: Since 2.3 File name is required but Package name is optional -- is there any situation where a relative file name is meaningful without a base? If not, is Package name optional a bug / mistake? @Dick: Given a path, applications can submit just the filename portion in queries. On Fri, Feb 17, 2023 at 7:57 AM Dick Brooks <[email protected] <mailto:[email protected]> > wrote: Anthony, Based on our experiences, the presence of any path information creates problems when searching NIST NVD that could result in false negatives, during a risk assessment. We strip all path info from the filename before submitting a NIST NVD vulnerability search request. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > On Behalf Of Anthony Harrison Sent: Friday, February 17, 2023 7:03 AM To: [email protected] <mailto:[email protected]> Subject: [spdx-tech] FileNames in SPDX File item Colleagues A couple of questions on files specified in a SPDX File item. According to the SPDX spec, the filename for a SPDX file is a relative filename (prefixed by ./). - see https://spdx.github.io/spdx-spec/v2.3/file-information/#81-file-name-field. However providing a relative path doesn't help identify the source of the actual location of the file. Where should the absolute path be specified (I think we just need the root)? I have thought about putting the file path as a FileComment but that is probably abusing the purpose of this field. Are we assuming that ALL files in SBOM are within the same file tree? I have assumed that if I encounter a link in the tree, I would use the actual file location rather than it's link but this is likely to be in another part of the directory tree. If this is the case, would that mean we would have to create a sep[arate SBOM for files in a different part of the directory tree? Regards Anthony -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#4975): https://lists.spdx.org/g/Spdx-tech/message/4975 Mute This Topic: https://lists.spdx.org/mt/97026525/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
