We just had a talk about this yesterday due to a Syft issue that came in: https://github.com/anchore/syft/issues/2038 (from Emrick). Currently, we're thinking about excluding packages without name and version information, but the NOASSERTION idea is also something that seems to solve the problem fairly well.
I suppose I'm giving a plus-one on adding this as a specific value for the version when we cannot determine it, but also welcome thoughts on how best to handle this situation. Cheers, -Keith On Fri, Aug 18, 2023 at 12:15 PM Brandon Lum via lists.spdx.org <lumb= [email protected]> wrote: > Hi, > > In generating some of our SPDX documents, we've (Tyler/Emrick CC'ed) run > into situations where the version information of a package is unknown. What > comes to mind is to set the version to NOASSERTION. However, this is not > currently spelt out in the spec ( > https://spdx.github.io/spdx-spec/v2.3/package-information/#73-package-version-field > ). > > Although semantically, in terms of usage of information, it should be > similar, it still lacks the ability to say that "This information is > incomplete", with exception of having NOASSERTION be set on the DEPENDS_ON > relationship more broadly - which may perhaps be a different discussion > altogether. > > Wanted to get thoughts on this. > > Cheers > Brandon > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5300): https://lists.spdx.org/g/Spdx-tech/message/5300 Mute This Topic: https://lists.spdx.org/mt/100823660/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
