Closed jspeed-meyers closed 2 months ago
Agree the code does not sufficiently check for this. The relationshiptType
should be DESCRIBES
and there should be at least one where the type of the target is a package. It would be great to fix this in the 2.0 release.
Thanks @jspeed-meyers for catching this!
The SPDX mapping of NTIA minimum elements to SPDX fields provides this defintion of the "relationship" field:
But the code currently uses this definition:
https://github.com/spdx/ntia-conformance-checker/blob/e82010c9fefdb467e161ee8ec471c5b60ef9135a/ntia_conformance_checker/sbom_checker.py#L63-L67
In other words, the code simply checks for ANY relationship, which could be a "CONTAINS" relationship, not a "DESCRIBES" relationship.
Oops. I think this was a bug that I perpetuated.
@goneall: What are your thoughts?
And if this is a bug, it'd probably be worth fixing for the coming v2.0.0 release, I think.