Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding NOASSERTION/NONE to DocumentRef in relationships as per the spdx v2.3 spec #781

Open
ShubhankarVN opened this issue Dec 12, 2023 · 3 comments
Open

Adding NOASSERTION/NONE to DocumentRef in relationships as per the spdx v2.3 spec #781

ShubhankarVN opened this issue Dec 12, 2023 · 3 comments

Comments

@ShubhankarVN
Copy link

In Table 69 of Chapter 11 of the SPDX V2.3 Spec, the Format section states that NONE and NOASSERTION are acceptable in the related spdx element field.

["DocumentRef-"[idstring]":"]SPDXID <relationship> ["DocumentRef-"[idstring]":"]SPDXID | NONE | NOASSERTION
where "DocumentRef-"[idstring]":" is an optional reference to an external SPDX document as described in 6.6
where SPDXID is a string containing letters, numbers, . and/or -. as described in 6.3, 7.2, 8.2.
where is one of the documented relationship types in Table 68.
where NONE can be used to explicitly indicate there are NO other relationships.
where NOASSERTION can be used to explicitly indicate it is not clear if there are relationships that may apply or not.

The sample relationship I'm trying is,
{
"spdxElementId": "SPDXRef-Package-1",
"relatedSpdxElement": "DocumentRef-1:NOASSERTION",
"relationshipType": "DESCRIBED_BY"
}
{
"spdxElementId": "SPDXRef-Package-1",
"relatedSpdxElement": "DocumentRef-1:NONE",
"relationshipType": "DESCRIBED_BY"
}

This gives me an error stating,
the internal SPDX id part of spdx_id must only contain letters, numbers, "." and "-" and must begin with "SPDXRef-", but is: NOASSERTION' and the internal SPDX id part of spdx_id must only contain letters, numbers, "." and "-" and must begin with "SPDXRef-", but is: NONE'

Have I interpreted the spec incorrectly or should NOASSERTION and NONE be allowed as per the sample relationship I have mentioned above?

spdx_tools = 0.8.2
python = 3.10.11
@goneall
Copy link
Member

goneall commented Dec 12, 2023

@ShubhankarVN I believe the syntax allows for NONE and NOASSERTION without the preceeding DocumentRef-.

So the following should work:

{
"spdxElementId": "SPDXRef-Package-1",
"relatedSpdxElement": "NOASSERTION",
"relationshipType": "DESCRIBED_BY"
}
{
"spdxElementId": "SPDXRef-Package-1",
"relatedSpdxElement": "NONE",
"relationshipType": "DESCRIBED_BY"
}

@ShubhankarVN
Copy link
Author

The scenario we are trying is where the Package and External Document Refs are related and both IDs are known, but the exact internal SPDXID that's part of the DocumentRef is not known.

In the below example, SPDXRef-Package-1 and DocumentRef-1 are known IDs, but the exact internal SPDXID that's part of DocumentRef-1 is unknown, hence NOASSERTION/NONE.

E.g.:
{
"spdxElementId": "SPDXRef-Package-1",
"relatedSpdxElement": "DocumentRef-1:NOASSERTION",
"relationshipType": "DESCRIBED_BY"
}

What can be done in this scenario?

@goneall
Copy link
Member

goneall commented Dec 13, 2023

What can be done in this scenario?

The spec currently doesn't support referring to an unknown SPDX ID within an external document.

What I would suggest is creating a relationship to the document itself which has a pre-defined known ID - e.g.:

{
"spdxElementId": "SPDXRef-Package-1",
"relatedSpdxElement": "DocumentRef-1:SPDXRef-DOCUMENT",
"relationshipType": "DESCRIBED_BY"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@goneall @ShubhankarVN