Greetings and welcome to the SPDX community! You can use the relationship object with an spdxElementId of the package, the relatedSpdxElement of the file and a relationshipType of CONTAINS. Part of the confusion is the JSON schema is not very well documented relative to the text in the specification – something we addressed in the SPDX 3.0 specification. The hasFiles property in the JSON file is actually translated to a relationship in the SPDX model. The inclusion of the hasFiles property was done as a convenience for some of the community who desired a less verbose serialization format. We’re encouraging folks to move to the relationship approach as it is more flexible and (more) forward compatible with SPDX 3. Gary From: [email protected] <[email protected]> On Behalf Of vivekkumarsahu650 via lists.spdx.org Sent: Wednesday, November 20, 2024 9:04 PM To: [email protected] Subject: [spdx] Relation b/w files and Pakcages #spdx Hey Community, this is mine first post. I am working on BSI:2.0 compliance for implementation of sbomqs. In This is my understanding of how files and components are connected to each other: To know whether components contains any files or not. This can be answered from filesAnalyzed value. If filesAnalyzed is true , that means component contains files, and if filesAnalyzed is false that means component doesn't contain any files. Now the second part is, to know what all files does component contains ? This can be answered from hasFiles (as shown in below examples) fields. It lists all files name. In short, it list all files that component contains. Now to get detail information of each files listed in hasFiles , it is described in Files section. Here each file is detailed described with information such as file name , checksums, hasFiles, file type, and many more. And that how we can trace files attached with component and their detailed description. Below is the example containing all fields that I referred above. https://github.com/spdx/ntia-conformance-checker/blob/main/tests/data/no_elements_missing/SPDXJSONExample-v2.3.spdx.json#L111C1-L112C1
Now the challenge is: - In the official doc <https://spdx.github.io/spdx-spec/v2.3/package-information/> with version 2.2 or 2.3 there is no such hasFiles field. As a result, now I don't have the answer of this question: What all files does component contains ? And that's what my doubt or say question is. So, yeah looking forward to hear from the community :) In the BSI:2.0 <https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/TechGuidelines/TR03183/BSI-TR-03183-2-2_0_0.pdf?__blob=publicationFile&v=3> , there are four fields are directly dependent on this concept of files: * filename * executable * archieve * structured -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#1940): https://lists.spdx.org/g/spdx/message/1940 Mute This Topic: https://lists.spdx.org/mt/109699026/21656 Mute #spdx:https://lists.spdx.org/g/spdx/mutehashtag/spdx Group Owner: [email protected] Unsubscribe: https://lists.spdx.org/g/spdx/leave/2655439/21656/1698928721/xyzzy [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
