search

alilleybrinker / cargo-spdx

Generate an SPDX Software Bill of Materials for Rust crates.
https://crates.io/crates/cargo-spdx
Other
19 stars 2 forks source link

Generate element relationship information #4

Open alilleybrinker opened 2 years ago

alilleybrinker commented 2 years ago

SPDX permits specification of the relationship between elements. There's a pretty substantial list of relationship types that can be represented, and of entities that can be related. The documentation gives come examples:

Relationship: SPDXRef-grep CONTAINS SPDXRef-make
RelationshipComment: Package grep contains file make

Relationship: SPDXRef-DOCUMENT AMENDS DocumentRef-SPDXA:SPDXRef-DOCUMENT
RelationshipComment: This current document is an amendment of the SPDXA document.

Relationship: SPDXRef-CarolCompression DEPENDS_ON NONE
RelationshipComment: The package CarolCompression can be considered as a root with no dependencies.

Relationship: SPDXRef-BobBrowser CONTAINS NOASSERTION
RelationshipComment: The package BobBrowser may have other packages embedded in it, but the author has insufficient information to treat this as other than unknown at this point in time.

We need to generate this information for files in a crate, as well as for dependencies used.

tofay commented 2 years ago

9 introduces relationships between a binary file for the SBOM and all the dependent crates

10 introduces relationships between crates and their source files