`check_dependency_relationships` Function Does Not Match SPDX Minimum Elements Definition of "Relationship" Field

[jspeed-meyers]

The SPDX mapping of NTIA minimum elements to SPDX fields provides this defintion of the "relationship" field:

The document must DESCRIBES at least one package.

But the code currently uses this definition:

https://github.com/spdx/ntia-conformance-checker/blob/e82010c9fefdb467e161ee8ec471c5b60ef9135a/ntia_conformance_checker/sbom_checker.py#L63-L67

In other words, the code simply checks for ANY relationship, which could be a "CONTAINS" relationship, not a "DESCRIBES" relationship.

Oops. I think this was a bug that I perpetuated.

@goneall: What are your thoughts?

And if this is a bug, it'd probably be worth fixing for the coming v2.0.0 release, I think.

[goneall]

Agree the code does not sufficiently check for this. The relationshiptType should be DESCRIBES and there should be at least one where the type of the target is a package. It would be great to fix this in the 2.0 release.

Thanks @jspeed-meyers for catching this!