Thank you, Gary. This is consistent with what we saw in some of the DocFest
submissions too.

 

End consumers that are only interested in performing “risk assessments”
don’t need (or want) the relative path info on component (file) names, as it
serves no purpose during a NIST NVD search for vulnerabilities in
components. 

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!
<https://reliableenergyanalytics.com/products>  ™

http://www.reliableenergyanalytics.com
<http://www.reliableenergyanalytics.com/> 

Email: [email protected]
<mailto:[email protected]> 

Tel: +1 978-696-1788

 

 

From: Gary O'Neall <[email protected]> 
Sent: Tuesday, September 5, 2023 2:14 PM
To: [email protected]; 'Marc-Etienne Vargenau (Nokia)'
<[email protected]>; 'spdx-tech' <[email protected]>
Subject: RE: [spdx-tech] Question about FileName syntaxe

 

Based on the recommendations in this thread, I’ll update the validation to
not allow file names starting with “/” to be consistent with the spec and
the Python libraries.  I will not require all names start with “./”.

 

It will probably be a month or so before this rolls out to the online
validation tool.

 

Thanks,
Gary

 

From: [email protected] <mailto:[email protected]>
<[email protected] <mailto:[email protected]> > On Behalf Of
Dick Brooks
Sent: Tuesday, September 5, 2023 9:09 AM
To: 'Marc-Etienne Vargenau (Nokia)' <[email protected]
<mailto:[email protected]> >; 'spdx-tech'
<[email protected] <mailto:[email protected]> >
Subject: Re: [spdx-tech] Question about FileName syntaxe

 

Marc,

 

REA uses the online validation tool to determine if an SBOM can be
“successfully parsed”:

https://tools.spdx.org/app/validate/

 

We had trouble early on with the Python tools and opted to write our own
SPDX generator and parser instead. We only support JSON and Tag/Value
formats.

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!
<https://reliableenergyanalytics.com/products>  ™

http://www.reliableenergyanalytics.com
<http://www.reliableenergyanalytics.com/> 

Email: [email protected]
<mailto:[email protected]> 

Tel: +1 978-696-1788

 

 

From: Marc-Etienne Vargenau (Nokia) <[email protected]
<mailto:[email protected]> > 
Sent: Tuesday, September 5, 2023 11:39 AM
To: [email protected]
<mailto:[email protected]> ; 'spdx-tech'
<[email protected] <mailto:[email protected]> >
Subject: Re: [spdx-tech] Question about FileName syntaxe

 

Hi Dick,

 

Currently, the Python tools complain when the path is absolute (beginning
with “/”).

The Java tools (used by the online tools) currently do not complain.

The ticket below is for implementing the same control in Java as in Python.

 

We will issue an error if the path starts with “/”.

But the precise question was: should we issue an error if the path does not
start with “./” ?

 

Marc-Etienne Vargenau

 

-- 
Marc-Etienne Vargenau  <mailto:[email protected]>
[email protected]
Nokia, 12, rue Jean-Bart, 91300 Massy, FRANCE
Mobile:  <tel:+33624497868> +33 6 24 49 78 68

Senior Specialist Open Source
Planned absence: none

 

 

De : Dick Brooks <[email protected]
<mailto:[email protected]> >
Date : mardi, 5 septembre 2023 à 13:12
À : Marc-Etienne Vargenau (Nokia) <[email protected]
<mailto:[email protected]> >, 'spdx-tech'
<[email protected] <mailto:[email protected]> >
Objet : RE: [spdx-tech] Question about FileName syntaxe

 

Many of the implementations that participated in the DocFest did not include
the “relative path” (/) syntax. The online validation tool will pass an SBOM
that does not contain the relative path filename syntax. 

 

Thanks,

 

Dick Brooks

  

Active Member of the CISA Critical Manufacturing Sector, 

Sector Coordinating Council – A Public-Private Partnership

 

Never trust software, always verify and report!
<https://reliableenergyanalytics.com/products>  ™

http://www.reliableenergyanalytics.com
<http://www.reliableenergyanalytics.com/> 

Email: [email protected]
<mailto:[email protected]> 

Tel: +1 978-696-1788

 

 

From: [email protected] <mailto:[email protected]>
<[email protected] <mailto:[email protected]> > On Behalf Of
Vargenau, Marc-Etienne (Nokia - FR/Paris-Saclay)
Sent: Tuesday, September 5, 2023 6:44 AM
To: spdx-tech <[email protected] <mailto:[email protected]> >
Subject: [spdx-tech] Question about FileName syntaxe

 

Hello,

 

This is related to  <https://github.com/spdx/Spdx-Java-Library/issues/195>
https://github.com/spdx/Spdx-Java-Library/issues/195

 

FileName is defined in the spec as “a relative filename”.

 

So, we should reject as invalid a FileName starting with “/”.

 

The spec then says “In general, every filename is preceded with a ./”

Is this mandatory?

 

In other words, should we reject:

FileName: package/foo.c

 

What is your opinion?

 

Best regards,

 

Marc-Etienne Vargenau

 

-- 
Marc-Etienne Vargenau  <mailto:[email protected]>
[email protected]
Nokia, 12, rue Jean-Bart, 91300 Massy, FRANCE
Mobile:  <tel:+33624497868> +33 6 24 49 78 68

Senior Specialist Open Source
Planned absence: none

 

 





-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#5340): https://lists.spdx.org/g/Spdx-tech/message/5340
Mute This Topic: https://lists.spdx.org/mt/101166533/21656
Group Owner: [email protected]
Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-


Reply via email to