-
Notifications
You must be signed in to change notification settings - Fork 323
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SPDX as package manifest does not work for CONTAINS relationship #9969
Comments
I noticed that SPDX as a manifest does not work either for |
Do I understand correctly that you assume I believe this assumption is wrong and therefore I remove the "bug" label. Note that SPDX BOM files produced by ORT use the |
This describes a ErlangOTP project, which CONTAINS the runtime system (ERTS), and a vendor library PCRE2. Does this make sense? If not, why is |
Hm, an analyzer result is a model which is different from SPDX. The SPDX model gets mapped to And then, the mapping back from ORT's model to SPDX is about choosing the relationship types which seem the best fit for exporting the data from ORT's model (which does not know (besides the Identifier type) that it's been imported from SPDX). Does this make any sense to you? |
Yes, I follow your logic (but I am clueless about the internal mappings, of course). Question Example:
So I was wondering if it is not too difficult to add a (To reiterate, I understand that some relations are not easy to express, just checking if this one is simpler 😃 ) |
@kikofernandez The SPDXDocument analyzer by design does not support the full SPDX spec but was implemented as fallback - the question is now should we patch it up to support your use cases or invest efforts into supporting SBOM as first class input to ORT per #9878? |
Even if I want this mapping, maybe from maintenance perspective #9878 is more important. Thanks for the discussion 😃 |
Describe the bug
I create a SPDX as a package manifest (spdx/spdx-spec#439) and the relationship
DESCRIBES
does not appear in theanalyzer
output result (because of this, it does not appear either in scanner nor in a final SPDX report)To Reproduce
Steps to reproduce the behavior:
https://github.com/elixir-lang/elixir/blob/main/project.spdx.yml#L156-L174
./gradlew --no-configuration-cache cli:run --args="analyze -i elixir -o . -f JSON"
STATIC_LINK
, the analyzer does create that relationship in theanalyze-result.json
)Expected behavior
Expected the contains relation to appear in the
analyze-result.json
and also in the final SPDX reportEnvironment
And specify (relevant parts of) your ORT configuration (
config.yml
):Elixir config link, copy-paste below
Comments
I have observed the same thing for Erlang/OTP and other projects where I tried to create
CONTAINS
relationships.Another example is this fork of
jesse
, and this is the SPDX manifest (here):FYI @maennchen
The text was updated successfully, but these errors were encountered: