Hi all, In SPDX 2 (and 3, I suppose), if we include a Package Verification Code <https://spdx.github.io/spdx-spec/v2.3/package-information/#79-package-verification-code-field>, are the files used also required to be in the SBOM document?
The spec says "all files", which I originally read to mean that these should be files included in the SBOM, but the spec doesn't explicitly state that. I found a working draft of the docs <https://github.com/spdx/spdx-spec/blob/development/v2.3.1/chapters/how-to-use.md#k31-general-guidance> that has some phrasing which seems to possibly support this belief, but it isn't what's in the current published spec. And what would be the right thing to do if a tool finds a package and downloads something that was not part of the original scan to create the package verification code? I would think those files should not be included in the SBOM, since they were not part of the requested scan target directly. Ultimately, I'm trying to understand the right thing to do in this scenario: * a tool scans a directory and finds a file with package references * the tool downloads the packages from an external source, with some verification they are correct * the tool calculates a package verification code from these files Should those files be included in the SBOM somehow? Can they be omitted and the package verification code used with some information how it was calculated? Should the tool not do this in the first place? Thanks much, -Keith -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1869): https://lists.spdx.org/g/spdx/message/1869 Mute This Topic: https://lists.spdx.org/mt/106817701/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
