Closed winterrocks closed 1 year ago
winterrocks
commented
1 year ago Answering to myself: Gary's CycloneDX - SPDX mapping table (https://docs.google.com/spreadsheets/d/1PIiSYLJHlt8djG5OoOYniy_I-J31UMhBKQ62UUBHKVA/edit#gid=862310124)
On row 45 CycloneDX purl field has been mapped to SPDX externalRef field.
vargenau
commented
1 year ago Yes, the PURL should be put in ExternalRef, for example:
ExternalRef: PACKAGE-MANAGER purl pkg:pypi/django@1.11.1I will add a clarification in the specification.
vargenau
commented
1 year ago Hi Jari,
Yes, the PURL should be put in ExternalRef, for example:
ExternalRef: PACKAGE-MANAGER purl @.***
I will add a clarification in the specification.
Best regards,
Marc-Etienne
-- Marc-Etienne Vargenau @.**@.> Nokia, 12, rue Jean-Bart, 91300 Massy, FRANCE Mobile: +33 6 24 49 78 68<tel:+33624497868> Senior Specialist Open Source Planned absence: none
De : Jari Koivisto @.> Date : mardi, 5 septembre 2023 à 13:32 À : OpenChain-Project/Telco-WG @.> Cc : Subscribed @.***> Objet : Re: [OpenChain-Project/Telco-WG] [Question] PURL field in SPDX (Issue #72)
Answering to myself: Gary's CycloneDX - SPDX mapping table (https://docs.google.com/spreadsheets/d/1PIiSYLJHlt8djG5OoOYniy_I-J31UMhBKQ62UUBHKVA/edit#gid=862310124)
On row 45 CycloneDX purl field has been mapped to SPDX externalRef field.
— Reply to this email directly, view it on GitHubhttps://github.com/OpenChain-Project/Telco-WG/issues/72#issuecomment-1706446474, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AAC4KKTQGNFVCQPGQ3N3DC3XY4EWBANCNFSM6AAAAAA3LOQACM. You are receiving this because you are subscribed to this thread.Message ID: @.***>
Question
In the current spec draft it says:
But since SPDX does not have actual package PURL field specified, should we specify where PURL needs to be? I'm not an SPDX specialist, but I guess PURL could put in 7.21 External reference field (SPDX 2.2)