search

microsoft / vcpkg

C++ Library Manager for Windows, Linux, and MacOS
MIT License
23.06k stars 6.36k forks source link

SPDX JSON output should include the documentDescribes property #28562

Open goneall opened 1 year ago

goneall commented 1 year ago

Describe the bug When using the --x-json option, the generated SPDX does not include the documentDescribes property nor a DESCRIBES relationship between the SPDX Document and the package described by the SPDX document as required by the spec.

Environment

To Reproduce Steps to reproduce the behavior:

  1. ./vcpkg install z3 --x-json
  2. See attached SPDX JSON output vcpkg.spdx.json.txt and the following snippet:
...
  "creationInfo": {
    "creators": [
      "Tool: vcpkg-7ae0d8527fb488fde10a89c2813802dc9b03b6f9"
    ],
    "created": "2022-12-21T11:11:00Z"
  },
  "relationships": [
...

Expected behavior See attached corrected SPDX JSON file vcpkg-z3-with-describes.spdx.json.txt and the following snippet:

...
  "creationInfo": {
    "creators": [
      "Tool: vcpkg-7ae0d8527fb488fde10a89c2813802dc9b03b6f9"
    ],
    "created": "2022-12-26T18:55:14Z"
  },
  "documentDescribes" : [ "SPDXRef-port" ],
  "relationships": [
...

Additional context

This is an admittedly confusing area of the SPDX Spec (which we plan to fix in SPDX 3.0). The DESCRIBES relationship is necessary for some tools which need a starting point for package relationship analysis (see this spdx-to-osv comment for an example). The spec requires a DESCRIBES relationship between the SPDX Document and one or more packages and/or files if there is more than one package present in the SPDX document.

In October, we updated the JSON schema to have a documentDescribes property which can be used interchangeably with a describes relationship.

Spec Reference: See the DESCRIBES relationship in Annex 11.

JSON Schema Reference: https://github.com/spdx/spdx-spec/blob/efa69656db9db4fcc871de563cbbd104fc1e33c3/schemas/spdx-schema.json#L219

For an example - see https://github.com/spdx/spdx-spec/blob/efa69656db9db4fcc871de563cbbd104fc1e33c3/examples/SPDXJSONExample-v2.3.spdx.json#L59

github-actions[bot] commented 1 year ago

This is an automated message. Per our repo policy, stale issues get closed if there has been no activity in the past 180 days. The issue will be automatically closed in 14 days. If you wish to keep this issue open, please add a new comment.

goneall commented 1 year ago

Bump - if this issue is resolved, please close

github-actions[bot] commented 6 months ago

This is an automated message. Per our repo policy, stale issues get closed if there has been no activity in the past 180 days. The issue will be automatically closed in 14 days. If you wish to keep this issue open, please add a new comment.

goneall commented 6 months ago

Bump - if this issue is resolved, please close

github-actions[bot] commented 1 week ago

This is an automated message. Per our repo policy, stale issues get closed if there has been no activity in the past 180 days. The issue will be automatically closed in 14 days. If you wish to keep this issue open, please add a new comment.

goneall commented 1 week ago

Bump - if this issue is resolved, please close