search

spdx / spdx-spec

The SPDX specification in MarkDown and HTML formats.
https://spdx.github.io/spdx-spec/
Other
274 stars 133 forks source link

Correct way to represent repository location for a package in SBOM. #875

Closed Moullisha closed 3 months ago

Moullisha commented 5 months ago

Hello,

Can someone provide insight into what could be the best way to mention the repository location for a package out of the two methods mentioned below: Method 1: Using sourceInfo field Method 2: Specifying the location under the files section and then associating it with an appropriate package using the CONTAINS relationship

In case none of the above methods is the correct way of doing it, please let us know what is recommended as per the SPDX standards?

For instance: In the example below, SPDXRef-Pkg-openssl-N-A-4092837 refers to an openssl package and SPDXRef-File-48482523-f refers to a file and later in the relationships section, a CONTAINS relationship has been specified b/w the package and the file.

{ "SPDXID": "SPDXRef-Pkg-openssl-N-A-4092837", "name": "openssl", "versionInfo": "N-A", "homepage": https://www.openssl.org/, "downloadLocation": "NOASSERTION", "copyrightText": "NOASSERTION", "licenseDeclared": "OpenSSL", "licenseConcluded": "OpenSSL", "supplier": "Organization: Undetermined", "licenseInfoFromFiles": [ (... omitting this rather long list ...) ], "packageVerificationCode": { "packageVerificationCodeValue": "b4e6fca9207b56ee9bbcdb547ba5c2e3b4df6341" } },

"files": [
{
    "SPDXID": "SPDXRef-File-48482523-f",
    "fileName": "cos-2.5.132/vendor/skopeo.tar",
    "checksums": [
        {
            "algorithm": "MD5",
            "checksumValue": "f5eb33ac9bee848e72f6931c30420031"
        },
        {
            "algorithm": "SHA1",
            "checksumValue": "e7066b56ee35e39cf0cc12fe81232decd8ee9ec6"
        }
    ],

{ "spdxElementId": "SPDXRef-Pkg-cos-2.5.132-5277", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-Pkg-openssl-N-A-4092837" }, { "spdxElementId": "SPDXRef-Pkg-openssl-N-A-4092837", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-File-48482523-f" },

Thanks in advance!

goneall commented 5 months ago

@Moullisha does "repository location" refer to A) a file or directory within a repository or B) the location of the repository itself (e.g. URL)?

If A) then I would recommend using the packageFileName property on the Package. For B) you can use the externalRef property - the specific format would depend on the type of repository. Package URLs are a bit more generalized and preferred by many consumers of SPDX.

If a package includes (contains) sub-packages, you should also use a contains relationship to make it clear the package includes the subpackge in the distribution.

Moullisha commented 5 months ago

@goneall externalRef has few allowed values for category like ["OTHER", "PERSISTENT_ID", "PERSISTENT-ID", "SECURITY", "PACKAGE_MANAGER"]. The only category value that seems suitable when providing repository location is OTHER. But this can be confusing in cases the externalRef with OTHER has a value other than repo location.

goneall commented 5 months ago

@goneall externalRef has few allowed values for category like ["OTHER", "PERSISTENT_ID", "PERSISTENT-ID", "SECURITY", "PACKAGE_MANAGER"]. The only category value that seems suitable when providing repository location is OTHER. But this can be confusing in cases the externalRef with OTHER has a value other than repo location.

@Moullisha - can you clarify what you mean by "repository location"? I'm not sure if you mean a location WITHIN a repository or the location OF a repository (e.g. URL).

Moullisha commented 5 months ago

@goneall Repository URL here refers to the github repository path of a project to which module belongs

goneall commented 5 months ago

@Moullisha If you have a repository URL, there are a couple of ways you can represent that location.

The preferred approach would be to construct a package URL with the format as defined in the purl spec.

You would then add it as an externalRef of type Package-Manager. The reason for the Package-Manager category is the spec placed purls within that category.

Sometimes it makes sense to use the Git URL in the download location if the package is checked out directly from Git, but this is less common.

Moullisha commented 4 months ago

@goneall The repository location here refers to the github repository of the product where a particular module is being used. For instance, if I use node.js in one of my projects, is there some field in SBOM to store the github repo location of the project in which node.js is being used?

goneall commented 4 months ago

Since you are referring to a separate package (in your example, node.js), I would suggest creating a separate SPDX package to represent node.js and create a relationship between the main package and the dependency (e.g. the DEPENDS_ON relationship). In the dependent package fields, you can add the package URL for the dependency to point to the github location.

Moullisha commented 4 months ago 
  "packages": [
    {
      "SPDXID": "SPDXRef-Pkg-Product-3.134-4027901",
      "name": "adduser",
      "filesAnalyzed": false,
      "description": "apko container image",
      "downloadLocation": "NOASSERTION",
      "checksums": [
        {
          "algorithm": "SHA256",
          "checksumValue": "d62fea9d5f46122c0355f10e54d500fda294e15088cd1a1a06bdf25af537859a"
        }
      ],
    },
    {
      "SPDXID": "SPDXRef-Pkg-nodejs-2.6.1-4027993",
      "name": "nodejs",
      "versionInfo": "274cbd68f8b7a11427cd8bba73c2aface6499d36",
      "filesAnalyzed": false,
      "description": "Image configuration source",
      "downloadLocation": "https://github.com/chainguard-images/images-private@274cbd68f8b7a11427cd8bba73c2aface6499d36",
      "checksums": [
        {
          "algorithm": "SHA1",
          "checksumValue": "274cbd68f8b7a11427cd8bba73c2aface6499d36"
        }
      ]
    }
    ]

"relationships": [
{
      "spdxElementId": "SPDXRef-Pkg-Product-3.134-4027901",
      "relatedSpdxElement": "SPDXRef-Pkg-nodejs-2.6.1-4027993",
      "relationshipType": "CONTAINS"
    }
]
I would suggest creating a separate SPDX package to represent node.js and create a relationship between the main package and the dependency (e.g. the DEPENDS_ON relationship). In the dependent package fields, you can add the package URL for the dependency to point to the github location.

In the example above, SPDXRef-Pkg-Product-3.134-4027901 refers to my product, SPDXRef-Pkg-nodejs-2.6.1-4027993 refers to nodejs package being used in my project. A CONTAINS relationship is defined b/w the product and nodejs to demonstrate dependency b/w the two.

But if I want to include the github repo url of my project in which nodejs has been used, is there some field under Package Information section that I can use?

goneall commented 4 months ago

But if I want to include the github repo url of my project in which nodejs has been used, is there some field under Package Information section that I can use?

If your project is in a GitHub repo, you can add an external reference using a package URL for your git repo. It would not be specific to the nodejs.

For the nodejs, you can have a separate external reference pointing to the git repository for that project.

goneall commented 3 months ago

I believe this has been answered - @Moullisha if you have further questions, feel free to re-open or open a new issue