Thank you, Gary. This is consistent with what we saw in some of the DocFest submissions too.
End consumers that are only interested in performing risk assessments dont need (or want) the relative path info on component (file) names, as it serves no purpose during a NIST NVD search for vulnerabilities in components. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council A Public-Private Partnership Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 From: Gary O'Neall <[email protected]> Sent: Tuesday, September 5, 2023 2:14 PM To: [email protected]; 'Marc-Etienne Vargenau (Nokia)' <[email protected]>; 'spdx-tech' <[email protected]> Subject: RE: [spdx-tech] Question about FileName syntaxe Based on the recommendations in this thread, Ill update the validation to not allow file names starting with / to be consistent with the spec and the Python libraries. I will not require all names start with ./. It will probably be a month or so before this rolls out to the online validation tool. Thanks, Gary From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > On Behalf Of Dick Brooks Sent: Tuesday, September 5, 2023 9:09 AM To: 'Marc-Etienne Vargenau (Nokia)' <[email protected] <mailto:[email protected]> >; 'spdx-tech' <[email protected] <mailto:[email protected]> > Subject: Re: [spdx-tech] Question about FileName syntaxe Marc, REA uses the online validation tool to determine if an SBOM can be successfully parsed: https://tools.spdx.org/app/validate/ We had trouble early on with the Python tools and opted to write our own SPDX generator and parser instead. We only support JSON and Tag/Value formats. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council A Public-Private Partnership Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 From: Marc-Etienne Vargenau (Nokia) <[email protected] <mailto:[email protected]> > Sent: Tuesday, September 5, 2023 11:39 AM To: [email protected] <mailto:[email protected]> ; 'spdx-tech' <[email protected] <mailto:[email protected]> > Subject: Re: [spdx-tech] Question about FileName syntaxe Hi Dick, Currently, the Python tools complain when the path is absolute (beginning with /). The Java tools (used by the online tools) currently do not complain. The ticket below is for implementing the same control in Java as in Python. We will issue an error if the path starts with /. But the precise question was: should we issue an error if the path does not start with ./ ? Marc-Etienne Vargenau -- Marc-Etienne Vargenau <mailto:[email protected]> [email protected] Nokia, 12, rue Jean-Bart, 91300 Massy, FRANCE Mobile: <tel:+33624497868> +33 6 24 49 78 68 Senior Specialist Open Source Planned absence: none De : Dick Brooks <[email protected] <mailto:[email protected]> > Date : mardi, 5 septembre 2023 à 13:12 À : Marc-Etienne Vargenau (Nokia) <[email protected] <mailto:[email protected]> >, 'spdx-tech' <[email protected] <mailto:[email protected]> > Objet : RE: [spdx-tech] Question about FileName syntaxe Many of the implementations that participated in the DocFest did not include the relative path (/) syntax. The online validation tool will pass an SBOM that does not contain the relative path filename syntax. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council A Public-Private Partnership Never trust software, always verify and report! <https://reliableenergyanalytics.com/products> http://www.reliableenergyanalytics.com <http://www.reliableenergyanalytics.com/> Email: [email protected] <mailto:[email protected]> Tel: +1 978-696-1788 From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > On Behalf Of Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay) Sent: Tuesday, September 5, 2023 6:44 AM To: spdx-tech <[email protected] <mailto:[email protected]> > Subject: [spdx-tech] Question about FileName syntaxe Hello, This is related to <https://github.com/spdx/Spdx-Java-Library/issues/195> https://github.com/spdx/Spdx-Java-Library/issues/195 FileName is defined in the spec as a relative filename. So, we should reject as invalid a FileName starting with /. The spec then says In general, every filename is preceded with a ./ Is this mandatory? In other words, should we reject: FileName: package/foo.c What is your opinion? Best regards, Marc-Etienne Vargenau -- Marc-Etienne Vargenau <mailto:[email protected]> [email protected] Nokia, 12, rue Jean-Bart, 91300 Massy, FRANCE Mobile: <tel:+33624497868> +33 6 24 49 78 68 Senior Specialist Open Source Planned absence: none -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5340): https://lists.spdx.org/g/Spdx-tech/message/5340 Mute This Topic: https://lists.spdx.org/mt/101166533/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
