Closed billie-alsup closed 3 weeks ago
I have looked at the SPDX 2.3.0 specification
In section 7.7.1 (Package download location field description), it simply mentions a URL, NONE, or NOASSERTION.
However, in section 7.7.3 Examples, it explicitly lists supported git schemes, and gitsm is not mentioned. So it seems that I need to handle this in the application, whether in the SPDX generator, or possibly pushing the problem back to the yocto environment. Certainly a given git SHA1 would be sufficient to identify the submodules' SHA1 as well, but I think it might be better to list each submodule (recursively) as an independent package, with independent supplier/originator/license/etc. Of course the relationship between the packages can be listed in the relationships section as well.
The supported_download_repos list in validation/uri_validators.py is missing gitsm
Our OpenEmbedded build produces three SPDX files using gitsm:
gitsm is the bitbake submodule fetcher.