Hi Kobota-san,
From: [email protected] <[email protected]> On Behalf Of Norio Kobota Sent: Saturday, June 22, 2024 4:43 PM To: [email protected] Subject: Re: [spdx] Files used in Package Verification Code Hi Gary and Keith, Sorry to interrupt. Regarding this topic, I have a question. Since the gitoid and swhid will not be the same as the verification code of a locally modified package, I believe that in such cases we can use 'verifiedUsing' in /Core/Element class. Is my understanding correct? [G.O.] Yes – you can use the verified using. I wonder if there is a utility or a git command that will generate a gitoid on a local machine. Perhaps others on the SPDX dist. list may know of such a utility. Best, kobota _____ �1�7�1�7�1�7�1�7�1�7: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > �1�7�1�7 Gary O'Neall <[email protected] <mailto:[email protected]> > �1�7δ�1�7�1�7�1�7�1�7�1�7�1�7�1�7 �1�7�1�7�1�7�1�7�1�7�0�9r: Sunday, June 23, 2024 2:33:36 AM �1�7�1�7�1�7�1�7: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > �1�7�1�7�1�7�1�7: Re: [spdx] Files used in Package Verification Code Hi Keith, As background, the Package Verification Code has been one of the most challenging fields to be consistent in our past Docfests where we compared SPDX documents produced by different tools. Before attempting answers to the specific questions below, a few general pointers for those on the dist. list interested in this topic: * In the SPDX 2.3.1 spec (unpublished) we added Annex K section 3 Verifying SPDX Package <https://github.com/spdx/spdx-spec/blob/development/v2.3.1/chapters/how-to-use.md#k3-verifying-spdx-packages> describing how to verify packages * In SPDX 3.0, we are encouraging the use of the contentIdentifier <https://spdx.github.io/spdx-spec/v3.0/model/Software/Properties/contentIdentifier/> as an alternative to the Package Verification Code. The value of the contentIdentifier can be a gitoid or a swhid �1�7C both of which use a similar but more standardized hashing algorithm compared to the Package Verification Code. Gary From: [email protected] <mailto:[email protected]> <[email protected] <mailto:[email protected]> > On Behalf Of Keith Zantow via lists.spdx.org Sent: Saturday, June 22, 2024 8:34 AM To: [email protected] <mailto:[email protected]> Subject: [spdx] Files used in Package Verification Code Hi all, In SPDX 2 (and 3, I suppose), if we include a Package Verification Code <https://spdx.github.io/spdx-spec/v2.3/package-information/#79-package-verification-code-field> , are the files used also required to be in the SBOM document? The spec says "all files", which I originally read to mean that these should be files included in the SBOM, but the spec doesn't explicitly state that. I found a working draft of the docs <https://github.com/spdx/spdx-spec/blob/development/v2.3.1/chapters/how-to-use.md#k31-general-guidance> that has some phrasing which seems to possibly support this belief, but it isn't what's in the current published spec. [G.O.] The package verification code should be used when source files are analyzed. When source files are analyzed �1�7C all files should be included in the SBOM. And what would be the right thing to do if a tool finds a package and downloads something that was not part of the original scan to create the package verification code? I would think those files should not be included in the SBOM, since they were not part of the requested scan target directly. [G.O.] One way to approach this problem is to clearly distinguish the difference between source files belonging to the package the SBOM is describing and source files belonging to the dependent package that you downloaded. You can do this by having the source file relationships be to the dependent package and having a dependency relationship between the package the SBOM is describing and the dependent package. Including all the source file information will be helpful in several scenarios when you want to completely validate and reproduce the packages involved. Another approach would be to use the checksum of the downloaded archive file (assuming it is an archive file) for validating the dependent package rather than using the package verification code + source files. In general, my suggestion is if you include a package verification code, you should include all the file information. Ultimately, I'm trying to understand the right thing to do in this scenario: * a tool scans a directory and finds a file with package references * the tool downloads the packages from an external source, with some verification they are correct * the tool calculates a package verification code from these files Should those files be included in the SBOM somehow? Can they be omitted and the package verification code used with some information how it was calculated? Should the tool not do this in the first place? Thanks much, -Keith -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1873): https://lists.spdx.org/g/spdx/message/1873 Mute This Topic: https://lists.spdx.org/mt/106817701/21656 Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
