If there are any files which are not in the Document Describes nor in a hasFile / Contains relationship to a package, they will be added at the end of the SPDX Document. Since there is an implied contains relationship to any files which immediately follow a package, these files will be included in the contains relationship to the last package in the SPDX document before the files.
This can probably be fixed by adding any non-described, non contained files at the very beginning before any packages.
Note - this issue has been presence since the implementation of the 2.0 spec - several years - and has not been reported, so this may not be a real issue in practice.
If there are any files which are not in the Document Describes nor in a hasFile / Contains relationship to a package, they will be added at the end of the SPDX Document. Since there is an implied contains relationship to any files which immediately follow a package, these files will be included in the contains relationship to the last package in the SPDX document before the files.
This can probably be fixed by adding any non-described, non contained files at the very beginning before any packages.
Note - this issue has been presence since the implementation of the 2.0 spec - several years - and has not been reported, so this may not be a real issue in practice.