Re: [spdx-tech] NOASSERTION on PackageVersion field

Mon, 21 Aug 2023 06:18:20 -0700
I could understand why Syft would want to do NOASSERTION, and even a manufacturer might need to do something like this if we are receiving binaries from suppliers.   Licensing probably doesn't care about versioning so long as a license is declared.  But cybersecurity cares.  Is it a show stopper?  Not for a manufacturer because we can issue VEX statements.  But for Syft, it may be more problematic because Syft may not be in a position to create a VEX (I don't know). 

Eliot

On 18.08.23 18:34, Keith Zantow via lists.spdx.org wrote:

We just had a talk about this yesterday due to a Syft issue that came 
in: https://github.com/anchore/syft/issues/2038 (from Emrick). 
Currently, we're thinking about excluding packages without name and 
version information, but the NOASSERTION idea is also something that 
seems to solve the problem fairly well.



I suppose I'm giving a plus-one on adding this as a specific value for 
the version when we cannot determine it, but also welcome thoughts on 
how best to handle this situation.


Cheers,
-Keith


On Fri, Aug 18, 2023 at 12:15 PM Brandon Lum via lists.spdx.org 
<http://lists.spdx.org> <[email protected]> wrote:


    Hi,

    In generating some of our SPDX documents, we've (Tyler/Emrick
    CC'ed) run into situations where the version information of a
    package is unknown. What comes to mind is to set the version to
    NOASSERTION. However, this is not currently spelt out in the spec
    
(https://spdx.github.io/spdx-spec/v2.3/package-information/#73-package-version-field).


    Although semantically, in terms of usage of information, it should
    be similar, it still lacks the ability to say that "This
    information is incomplete", with exception of having
    NOASSERTION be set on the DEPENDS_ON relationship more broadly -
    which may perhaps be a different discussion altogether.

    Wanted to get thoughts on this.

    Cheers
    Brandon





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5309): https://lists.spdx.org/g/Spdx-tech/message/5309
Mute This Topic: https://lists.spdx.org/mt/100823660/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
























					Reply via email to