I think one follow-up question is around whether it is recognized in the specification.. For example, package supplier ( https://spdx.github.io/spdx-spec/v2.3/package-information/#75-package-supplier-field) it is stated clearly that NOASSERTION is within the format, but not in the case of VersionInfo
I think the question is NOASSERTION usable in any text field? Or does there need to be explicit indication within the spec where a NOASSERTION can be used? On Fri, Aug 18, 2023 at 1:22 PM Gary O'Neall <[email protected]> wrote: > My opinion is that it would be useful to be able to express a “known > unknown” on the version if the version can’t be determined. > > > > I also agree we should strive to always have a version available. This is > especially important in tracking vulnerability information. I just know > that there are several situations where this just isn’t possible (e.g. > source files copied from an upstream project where no one kept track of the > original version). It would be better to have the imperfect package > information than no information at all. > > > > The NOASSERTION approach seems like a consistent way to represent the > “known unknown”. > > > > Gary > > > > *From:* [email protected] <[email protected]> *On Behalf Of > *Dick Brooks > *Sent:* Friday, August 18, 2023 9:53 AM > *To:* [email protected]; 'SPDX Technical Mailing List' < > [email protected]> > *Cc:* 'Emrick Donadei' <[email protected]>; 'Tyler Pirtle' < > [email protected]> > *Subject:* Re: [spdx-tech] NOASSERTION on PackageVersion field > > > > Brandon, > > > > REA applies the NOASSERTION value when a PackageVersion is indeterminant, > based on guidance provided by the NTIA work effort. > > > > This is not an issue with “file components” as no version is required. > > > > > > > > Thanks, > > > > Dick Brooks > > > > *Active Member of the CISA Critical Manufacturing Sector, * > > *Sector Coordinating Council – A Public-Private Partnership* > > > > *Never trust software, always verify and report! > <https://reliableenergyanalytics.com/products>* ™ > > http://www.reliableenergyanalytics.com > > Email: [email protected] > > Tel: +1 978-696-1788 <(978)%20696-1788> > > > > > > *From:* [email protected] <[email protected]> *On Behalf Of > *Brandon Lum via lists.spdx.org > *Sent:* Friday, August 18, 2023 12:16 PM > *To:* SPDX Technical Mailing List <[email protected]> > *Cc:* Emrick Donadei <[email protected]>; Tyler Pirtle <[email protected]> > *Subject:* [spdx-tech] NOASSERTION on PackageVersion field > > > > Hi, > > > > In generating some of our SPDX documents, we've (Tyler/Emrick CC'ed) run > into situations where the version information of a package is unknown. What > comes to mind is to set the version to NOASSERTION. However, this is not > currently spelt out in the spec ( > https://spdx.github.io/spdx-spec/v2.3/package-information/#73-package-version-field > ). > > > > Although semantically, in terms of usage of information, it should be > similar, it still lacks the ability to say that "This information is > incomplete", with exception of having NOASSERTION be set on the DEPENDS_ON > relationship more broadly - which may perhaps be a different discussion > altogether. > > > > Wanted to get thoughts on this. > > > > Cheers > > Brandon > > > -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5304): https://lists.spdx.org/g/Spdx-tech/message/5304 Mute This Topic: https://lists.spdx.org/mt/100823660/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
