Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: Switch refs for dev and opt dependencies in SPDX sboms #6871

Conversation

antonbauhofer
Copy link
Contributor

As pointed out in this comment, the relationships in SPDX sboms are currently incorrect.

In order to keep the directions as intuitive as possible, we leave them as is for dependencies and prerequisites, and only swap the refs for dev and optional dependencies, where it is currently not correct.

Fixes #6867

This adjusts the relationships to match the explanations at https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/

Fixes npm#6867

Signed-off-by: Anton Bauhofer <anton.bauhofer@tngtech.com>
Signed-off-by: Anton Bauhofer <anton.bauhofer@tngtech.com>
@maxhbr
Copy link

maxhbr commented Oct 5, 2023

This fixes the issue #6867 (which should still be open)

@wraithgar
Copy link
Member

Sorry for the confusion earlier today. I'll let @bdehamer review this

@maxhbr
Copy link

maxhbr commented Oct 5, 2023

Thanks for your support! I think the initial misunderstanding was caused by my imprecise comment on #6801, so I might be to blame for confusion here.

@wraithgar wraithgar requested a review from bdehamer October 6, 2023 14:49
@maxhbr
Copy link

maxhbr commented Nov 28, 2023

@bdehamer : this is still a bug in npm and it would benefit from your review.

@bdehamer
Copy link
Contributor

@maxhbr if SPDX is ok with inverting those relationships for OPTIONAL_DEPENDENCY_OF and DEV_DEPENDENCY_OF, should we just flip them all and switch DEPENDS_ON/HAS_PREREQUISITE to DEPENDENCY_OF/PREREQUISITE_FOR?

This would make the direction of the relationship consistent across all four types (and eliminate some complexity from the implementation).

@maxhbr
Copy link

maxhbr commented Nov 29, 2023

Yes, I agree that this would be an option. We implemented that in https://github.com/npm/cli/pull/6868/files

@bdehamer
Copy link
Contributor

Closing this in favor of #7036 so that we can swap the direction for ALL of the relationship types.

@bdehamer bdehamer closed this Nov 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[BUG] Relationships in SPDX sbom pointing in wrong direction
4 participants