Enhance SPDX Support #444
Comments
|
See #451 as it's possible that WRT describing dependencies in the SPDX output, I particularly love the idea because IMHO it's existing metadata which can be potentially valuable for the SBOM consumer, but I can also see the argument for "flat SBOMs". I would say there are two levels, one would be literally taking a big string with the dependency information for each package and adding it as a comment or something semantically equivalent to a comment in the SPDX document, the next level would be converting those package names from their native names to the SPDX identifier or purl spec for proper linkage. Another thing which I'm not sure if you're interested in considering is adding any leftover files to the final SBOM document, in particular SPDX supports files as you know: https://spdx.github.io/spdx-spec/4-file-information/ This would be for anything else in the tree that hasn't been accounted for and that is relevant to the SBOM (i.e., not stuff under /home, etc., unless explicitly included), when thinking in terms of utilities I think about the output of Just a few ideas. Thanks for giving SPDX enrichment additional thought! |
Completing #213 adds support for generating SPDX documents, however, there are several opportunities to expand upon what can be expressed in an SPDX document. For instance, we have a file cataloger and are aware for select package types which files belong to a package... we could be leveraging the "FilesAnalyzed" package indication and showing the file digests for these package files. Additionally we could be adding relationships between these files and packages. For packages with transitive dependencies known, we could be building a dependency graph. There are many directions this can take, this issue is here as a placeholder to show that we could be supporting more of what can be expressed in an SPDX document.
Explorations to try (but not limited to):
The text was updated successfully, but these errors were encountered: