Open goneall opened 1 year ago
This is an automated message. Per our repo policy, stale issues get closed if there has been no activity in the past 180 days. The issue will be automatically closed in 14 days. If you wish to keep this issue open, please add a new comment.
Bump - if this issue is resolved, please close
This is an automated message. Per our repo policy, stale issues get closed if there has been no activity in the past 180 days. The issue will be automatically closed in 14 days. If you wish to keep this issue open, please add a new comment.
Bump - if this issue is resolved, please close
This is an automated message. Per our repo policy, stale issues get closed if there has been no activity in the past 180 days. The issue will be automatically closed in 14 days. If you wish to keep this issue open, please add a new comment.
Bump - if this issue is resolved, please close
Describe the bug When using the
--x-json
option, the generated SPDX does not include thedocumentDescribes
property nor aDESCRIBES
relationship between the SPDX Document and the package described by the SPDX document as required by the spec.Environment
To Reproduce Steps to reproduce the behavior:
Expected behavior See attached corrected SPDX JSON file vcpkg-z3-with-describes.spdx.json.txt and the following snippet:
Additional context
This is an admittedly confusing area of the SPDX Spec (which we plan to fix in SPDX 3.0). The
DESCRIBES
relationship is necessary for some tools which need a starting point for package relationship analysis (see this spdx-to-osv comment for an example). The spec requires aDESCRIBES
relationship between the SPDX Document and one or more packages and/or files if there is more than one package present in the SPDX document.In October, we updated the JSON schema to have a
documentDescribes
property which can be used interchangeably with a describes relationship.Spec Reference: See the
DESCRIBES
relationship in Annex 11.JSON Schema Reference: https://github.com/spdx/spdx-spec/blob/efa69656db9db4fcc871de563cbbd104fc1e33c3/schemas/spdx-schema.json#L219
For an example - see https://github.com/spdx/spdx-spec/blob/efa69656db9db4fcc871de563cbbd104fc1e33c3/examples/SPDXJSONExample-v2.3.spdx.json#L59