analyzer: Fix SPDX metadata to point to a source artifact #3787
Conversation
There was a problem hiding this comment.
We can't set filesAnalyzed to true as then Package Verification Code becomes mandatory per the spec which is something we don't want as makes creating SPDX package manifest more complicated.
The current definition of "Files Analyzed" has been problematic since I started working on SPDX, hope to drop it from the spec in 3.0.
Argh. Fortunately, our SPDX reader does not check for that 😁 So maybe we could slightly violate the spec here? Or, maybe we could simply set
How would v3 then distinguish between download URLs of binary vs sources? Ideally, these would just be separate fields (like in ORT 😉 ) so that you can also capture both at the same time. |
sschuberth
force-pushed
the
spdx-source-artifacts
branch
2 times, most recently
from
96fb6ac to
7ff589e
Compare
|
Ping @tsteenbe, mind having another look? |
|
@sschuberth Setting filesAnalyzed to true and not providing Package Verification Code will cause an exception in SPDX reader whilst keeping it false and misusing downloadLocation as source code location will not cause any issues. |
Which reader exactly?
But we'll also have no man to tell that it is a source location. It will be treated as a binary location instead. |
sschuberth
force-pushed
the
spdx-source-artifacts
branch
from
7ff589e to
991dcc7
Compare
|
Anyway, I've added the |
I didn't want to "mix-in" an otherwise unrelated change to |
sschuberth
force-pushed
the
spdx-source-artifacts
branch
from
991dcc7 to
2f792d8
Compare
There was a problem hiding this comment.
@sschuberth Adding just packageVerificationCode with filesAnalyzed set to true you also for instance need to add PackageLicenseInfoFromFiles see https://spdx.github.io/spdx-spec/3-package-information/#314-all-licenses-information-from-files
It's a bad idea to set filesAnalyzed to true
But how can we then distinguish between |
A rather simple solution for that would be to require that source artifacts have to use VCS identifiers in the URLs e.g. git+https://git.myproject.org/MyProject.git. I know this does not work for maven source artifacts but for the few exceptions we could build in regexes to detected the edge cases. |
Unfortunately, it's not only a "few exceptions". We heavily rely on custom SPDX files that refer to source artifacts in ZIP files in arbitrary locations. There's no sane way to deal with these with regexes. |
|
@tsteenbe I just checked on this PR again. I'm reading the spec so that for
So as both allow a cardinality of 0, these fields should be optional even with |
sschuberth
force-pushed
the
spdx-source-artifacts
branch
from
2f792d8 to
aca412a
Compare
When making local changes to that file, test would always fail as the file is not merged upstream yet. A better approach to test the resolution of remote SPDX files will be added later. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
The "curl-7.70.0.tar.gz" archive contains the source code, so it should be treated as a source artifact instead of a binary artifact, which is signalled by setting "filesAnalyzed" to "true". Also see 15512d3. Signed-off-by: Sebastian Schuberth <sebastian.schuberth@bosch.io>
sschuberth
force-pushed
the
spdx-source-artifacts
branch
from
aca412a to
b74d04b
Compare
|
Closing this in favor of the different approach in #4816. |
The "curl-7.70.0.tar.gz" archive contains the source code, so it should
be treated as a source artifact instead of a binary artifact, which is
signalled by setting "filesAnalyzed" to "true".
Also see 15512d3.
Signed-off-by: Sebastian Schuberth sebastian.schuberth@bosch.io