From: [email protected] <[email protected]> On Behalf Of Anthony
Harrison
Sent: Friday, February 17, 2023 11:32 AM
To: [email protected]
Subject: Re: [spdx-tech] FileNames in SPDX File item
Thanks for the feedback.
So if I have a package which consists of other dependent packages; can I not
have a single SBOM with all of the files for all of the packages (all files
having a CONTAINS relationship to their respective package)?
[G.O.] Yes, this can be represented in an SPDX document. The way you would
structure that is have a DESCRIBES relationship from the SPDX Document to the
top level package – this gives you root of the tree. You would then use a
dependency relationship from the top level package to the dependent packages.
If you want to represent a file contained in the top level package or any of
the dependencies, create a file and create a CONTAINS relationship from the
package to the file. To reconstruct the file paths on serializations, you
would use the package filename from the package containing the file + the file
name.
What can be confusing is deciding when a file is a “package” vs a “file
contained in a package”. Sometimes it is both – for example, If you have a
dependency on, say, a file a.lib and a.lib represent an independently
distributable library, you would likely create a package to represent a.lib.
If the file a.lib is also contained in the archive the is distributed in, say,
an archive file with the top level package you could also create a CONTAINs
relationship to the file a.lib. In general, if you’re dealing with something
that can be distributed independently, you would use a package to represent
that element.
Anthony
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#4977): https://lists.spdx.org/g/Spdx-tech/message/4977
Mute This Topic: https://lists.spdx.org/mt/97026525/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-