spdxtagvalue report is missing a "document DESCRIBES container" relationship #1079
Comments
rnjudge
added a commit
to rnjudge/tern
that referenced
this issue
Nov 8, 2021
The SPDX spec requires at least one DESCRIBES SBOM to artifact relationship in cases where "more than one package or set of files (not in a package) is present". This commit adds the describes relationship that was missing in the spdxtagvalue report. Resolves tern-tools#1079 Signed-off-by: Rose Judge <[email protected]>
nishakm
pushed a commit
that referenced
this issue
Nov 11, 2021
The SPDX spec requires at least one DESCRIBES SBOM to artifact relationship in cases where "more than one package or set of files (not in a package) is present". This commit adds the describes relationship that was missing in the spdxtagvalue report. Resolves #1079 Signed-off-by: Rose Judge <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
A clear and concise description of what the bug is.
To Reproduce
Error in terminal
According to the SPDX Spec, SPDX requires at least one relationship and that relationship is SBOM to artifact, implemented by using the "DESCRIBES" relationship when more than one package or set of files is present:
An SPDX document WildFly.spdx describes package ‘WildFly’. Note this is a logical relationship to help organize related items within an SPDX document that is mandatory if more than one package or set of files (not in a package) is present.Expected behavior
There should be a "DESCRIBES" relationship between the SPDXRef-DOCUMENT and the SPDXRef-ContainerImage in the tag value document. The SPDX JSON document contains this relationship.
The text was updated successfully, but these errors were encountered: