Moullisha
commented
8 months ago Created a similar issue https://github.com/spdx/spdx-spec/issues/875 as I was unsure of where it might be best to raise it. Was unable to delete this one. Please feel free to respond to the the issue raised here -> https://github.com/spdx/spdx-spec/issues/875.
goneall
Hello,
Can someone provide insight into what could be the best way to mention the repository location for a package out of the two methods mentioned below: Method 1: Using sourceInfo field Method 2: Specifying the location under the files section and then associating it with an appropriate package using the CONTAINS relationship
In case none of the above methods is the correct way of doing it, please let us know what is recommended as per the SPDX standards?
For instance: In the example below, SPDXRef-Pkg-openssl-N-A-4092837 refers to an openssl package and SPDXRef-File-48482523-f refers to a file and later in the relationships section, a CONTAINS relationship has been specified b/w the package and the file.
{ "SPDXID": "SPDXRef-Pkg-openssl-N-A-4092837", "name": "openssl", "versionInfo": "N-A", "homepage": https://www.openssl.org/, "downloadLocation": "NOASSERTION", "copyrightText": "NOASSERTION", "licenseDeclared": "OpenSSL", "licenseConcluded": "OpenSSL", "supplier": "Organization: Undetermined", "licenseInfoFromFiles": [ (... omitting this rather long list ...) ], "packageVerificationCode": { "packageVerificationCodeValue": "b4e6fca9207b56ee9bbcdb547ba5c2e3b4df6341" } },
{ "spdxElementId": "SPDXRef-Pkg-cos-2.5.132-5277", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-Pkg-openssl-N-A-4092837" }, { "spdxElementId": "SPDXRef-Pkg-openssl-N-A-4092837", "relationshipType": "CONTAINS", "relatedSpdxElement": "SPDXRef-File-48482523-f" },
Thanks in advance!