goneall
commented
1 year ago @HyuckjunChoi The general case of representing modifications in a package is one of the use cases we considered when creating the relationships for SPDX 2.X.
You can create a relationship between the original package and the modified package using the ANCESTOR_OF and/or DESCENDANT_OF depending on which direction of the relationship. See the relationships clause 11 of the spec for more context.
You would include both the original and the modified package in the SBOM and use the above mentioned relationship types to describe how they are related.
The security fix above could be added to the modified package.
You can also add comments to the modified package to provide human readable context.
HyuckjunChoi
I download the open source from source repository like github, npm and so. And I modify the source code for some reasons and build the package. If this output package is included in the SBOM then how can I describe this modified package in SPDX.
I could find the way to describe the specific case "security fix". If I modify or fix the package for some security issue then I think I could use the "externalRefs" as below. https://spdx.github.io/spdx-spec/v2.3-RC1/how-to-use/#k17-linking-to-a-code-fix-for-a-security-issue "externalRefs" : [ { "referenceCategory" : "SECURITY", "referenceLocator" : "https://github.com/indutny/elliptic/commit/441b7428b0e8f6636c42118ad2aaa186d3c34c3f", "referenceType" : "fix" } ]
But if I modify or fix the package with other purpose like adding function, removing function, fixing issues then how can I describe in SPDX?