search

spdx / spdx-spec

The SPDX specification in MarkDown and HTML formats.
https://spdx.github.io/spdx-spec/
Other
288 stars 139 forks source link

Clarification on the NONE and NOASSERTION keywords for relationships #860

Closed TassiloPitrasch closed 6 months ago

TassiloPitrasch commented 1 year ago

The description of the keywords NONE and NOASSERTION for relationships feels somewhat unclear, at least for me. From the docs: the keyword NOASSERTION can be used ... to indicate that the author is not asserting whether there are other SPDX elements ... that are connected by relationships or not. the use of the keyword NONE can be used to indicate that an SPDX element ... has no other elements connected by some relationship to it. For me, this means that this values can be set in addition to other relationships: A contains B A contains NONE would be a valid entry to express that A only has one dependency, B, and that the creator of the SBOM is sure about this.

However, the description of issue 137 says otherwise: NONE: Can be used to explicitly indicate there are NO dependencies (at all I presume) NOASSERTION: Can be used to explicitly indicate its not clear if there are dependencies on this package or not.

Only the first interpretation would fulfill the NTIA's requirements regarding "known unkowns" (for which these keywords were introduced).

goneall commented 1 year ago

My interpretation of the use of these fields is for NOASSERTION to be used to indicate "known unknowns" and the NONE is a statement that there are no relationships of the same relationship type.

Consider the following separate possibilities:

  1. A contains B
  2. A contains NOASSERTION
  3. A contains NONE
  4. A contains B and A contains NOASSERTION

1 would indicate a known relationship, 2 would indicate there are "known unknowns", 3 would indicate "we know there are no relationships" and 4 would indicate we know one relationship but there may be more (known unknowns).

You raise a good point that the current description " the use of the keyword NONE can be used to indicate that an SPDX element ... has no other elements connected by some relationship to it." - if it stated "no elements connected" (without the "other"), it would be clearer.

@swinslow @kestewart - As participants in the discussion, is my interpretation correct? If so, should we update the description?

BTW - in 3.0 this all get's clearer as we added a specific property to define the "known unknowns" on relationships.

TassiloPitrasch commented 1 year ago

Thank you, @goneall, really appreciate your thoughts. Indeed, the "other" did throw me off. Good to hear that the topic of "known unknows" will be addressed in the next specification update.

goneall commented 6 months ago

This has been addressed in the 3.0 spec - closing this issue as resolved.

TassiloPitrasch commented 6 months ago

Thank you very much!