SPDX Relationships Semantics

Question

SPDX Relationships Semantics

dmholtz opened this issue 2 years ago · comments

First of all, thanks for the work on the nice and lightweight cli tool for creating SBOMs for Python projects.

Regarding SPDX SBOMs, I assume that sbom4pyhton currently generates dependencies with worng semantics. If I read the SPDX documentation on relationships correctly, I assume that a DEPENDS_ON relationship is more appropriate than a CONTAINS relationship to express the build and run dependency between two packages. CONTAINS is suitable for archieves, which physically contain a other files.

Example:

pip show jinja2
Name: Jinja2
Version: 3.1.2
Summary: A very fast and expressive template engine.
Home-page: https://palletsprojects.com/p/jinja/
Author: Armin Ronacher
Author-email: armin.ronacher@active-4.com
License: BSD-3-Clause
Location: /Users/david/repos/python/sbom4python/env/lib/python3.10/site-packages
Requires: MarkupSafe
Required-by: Flask

Extract from the generated sbom.spdx.json:

{
      "spdxElementId": "SPDXRef-Package-4-jinja2",
      "relatedSpdxElement": "SPDXRef-Package-5-markupsafe",
      "relationshipType": "CONTAINS"
}

anthonyharrison · Answer 1 · Sun Jan 15 2023 23:45:37 GMT+0800 (China Standard Time)

@dmholtz I think SPDX has far too many relationship semantics!! I agree that DEPENDS ON is more appropriate than a CONTAINS relationship.

David Holtz · Answer 2 · Mon Jan 16 2023 00:20:54 GMT+0800 (China Standard Time)

I think SPDX has far too many relationship semantics!! I agree that DEPENDS ON is more appropriate than a CONTAINS relationship.

I agree, the list of relationship types is overwhelming. DEPENDS ON is probably the most important one for this project, since individual files are not considered.

anthonyharrison · Answer 3 · Mon Jan 16 2023 01:27:11 GMT+0800 (China Standard Time)

Fixed in release v0.7.0