Brandon,
REA applies the NOASSERTION value when a PackageVersion is indeterminant, based on guidance provided by the NTIA work effort. This is not an issue with “file components” as no version is required. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:[email protected]> [email protected] Tel: +1 978-696-1788 From: [email protected] <[email protected]> On Behalf Of Brandon Lum via lists.spdx.org Sent: Friday, August 18, 2023 12:16 PM To: SPDX Technical Mailing List <[email protected]> Cc: Emrick Donadei <[email protected]>; Tyler Pirtle <[email protected]> Subject: [spdx-tech] NOASSERTION on PackageVersion field Hi, In generating some of our SPDX documents, we've (Tyler/Emrick CC'ed) run into situations where the version information of a package is unknown. What comes to mind is to set the version to NOASSERTION. However, this is not currently spelt out in the spec (https://spdx.github.io/spdx-spec/v2.3/package-information/#73-package-version-field). Although semantically, in terms of usage of information, it should be similar, it still lacks the ability to say that "This information is incomplete", with exception of having NOASSERTION be set on the DEPENDS_ON relationship more broadly - which may perhaps be a different discussion altogether. Wanted to get thoughts on this. Cheers Brandon -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5302): https://lists.spdx.org/g/Spdx-tech/message/5302 Mute This Topic: https://lists.spdx.org/mt/100823660/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
