Closed alilleybrinker closed 2 years ago
tofay
commented
2 years ago For binary builds, https://github.com/alilleybrinker/cargo-spdx/pull/9 adds dependent package information.
For a crate SBOM is there any point in listing dependent packages in the SBOMs? I don't think so as the crate only has a loose, unresolved dependency on other crates, which doesn't seem meaningful from a licensing/vulnerability/bill of materials perspective.
alilleybrinker
commented
2 years ago Hm, yeah you're right in that context you're working with version constraints, not actual versions of a dependency. The SBOM can encode additional information, so perhaps in the top-level package it's worth encoding what those version constraints are? It wouldn't be in a standardized field though, so it may not be worth much.
tofay
commented
2 years ago I suspect that it's not worth it - SBOMs are not for dependency resolution but rather to record the resolved contents. For binaries that includes dependent packages but not for a crate. Can this be closed now #9 is merged?
alilleybrinker
commented
2 years ago Yup, closing.
SPDX includes specification of packages included in a bundle. This means both the current crate and the crates on which it depends.