Closed rnjudge closed 1 year ago
goneall
commented
2 years ago @rnjudge After going back and looking at the JSON Schema cardinality for the documentDescribes property, I came to the conclusion that multiple describes relationships are allowed.
I recall a discussion where we considered having a single document describes, but I think we decided on allowing more than one.
@tsteenbe - do you recall the discussion and if the cardinality for the document describes should be 1 or more?
rnjudge
commented
2 years ago So an SPDX document can describe two pieces of software simultaneously? I thought it was one document per piece of top-level encapsulating software but that could easily be my incorrect interpretation.
goneall
commented
1 year ago So an SPDX document can describe two pieces of software simultaneously?
Yes - you can have a single SPDX document "Describe" two separate patches intended to be applied to a separate package as one possible use case.
Most use cases, however, would have a single package referenced int he document describes.
rnjudge
commented
1 year ago Thanks for the clarification @goneall.
If I have an SPDX document with two
SPDXRef-DOCUMENT DESCRIBES SPDXRef-<artifact_a/b>relationships, the document validates with spdx-tools-2.2.7. I believe that there should only beSPDXRef-DOCUMENT DESCRIBES SPDXRef-Artifactrelationship per SPDX document? If this is the case, the spec documentation should also be updated as there's no clear constraint on how many SPDXRef-DOCUMENT DESCRIBES relationships can be present in a file.Attached file is the document that I believe is improperly validating. Specifically, lines 23 and 24:
double-describes-spdx.txt