Closed rnjudge closed 3 years ago
Is there an error in the validation tool or is my understanding of the spec wrong? Should I just use NOASSERTION for the PackageDownloadLocation since I can't represent it using "locations in version control systems such as Git, Mercurial, Subversion and Bazaar, and specifies the type of VCS tool using url prefixes: git+, hg+, bzr+, svn+ and specific transport schemes such as SSH or HTTPS."" as the spec asks here?
Puurl can be used in the ExternalRef field (not to be confused with ExternalDocumentReference).
For example:
ExternalRef: PACKAGE-MANAGER purl pkg:docker/debian@sha256:2f04d3d33b6027bb74ecc81397abe780649ec89f1a2af18d7022737d0482cefe
The packageDownloadLocation doesn't take a purl format according to section 3.7. It only accepts specific version control schemes.
Thanks @goneall! Sounds like NOASSERTION
is our best bet for this particular use case.
@goneall is there any chance of proposing that package download location accept purls? For the container use case especially, this is highly relevant.
is there any chance of proposing that package download location accept purls?
This would be a change to the spec - certainly something to be considered.
In the 3T SBOM discussions, we talked about a separate dedicated property called ArtifactURL. That way you could have a download location where the code could actually be accessed and a separate purl property. Would this work for the container use cases?
@goneall ArtifactURL that holds a purl value for packages will work for the container use case. Thanks! Will this be in the 3.0 spec?
Will this be in the 3.0 spec?
I expect it will be in the 3.0 spec.
@rnjudge Since this looks spec related, I'm going to go ahead and close this issue
I am trying to create an SPDX tag-value document for a container. In Tern, we represent a container image as a package in the document. In trying to represent the
PackageDownloadLocation
for the container, I am hoping to use the pURL as mentioned here:When I do that, the tooling gives me the following error:
Is there an error in the validation tool or is my understanding of the spec wrong? Should I just use
NOASSERTION
for thePackageDownloadLocation
since I can't represent it using "locations in version control systems such as Git, Mercurial, Subversion and Bazaar, and specifies the type of VCS tool using url prefixes: git+, hg+, bzr+, svn+ and specific transport schemes such as SSH or HTTPS."" as the spec asks here?