tools-python icon indicating copy to clipboard operation
tools-python copied to clipboard
verified publisher icon spdx

Files without an associated Package allowed by spec, but not supported in Document class

Open njv299 opened this issue 4 years ago • 1 comments

The current SPDX spec allows for Files to be included in a Document with no associated Package.

This is specified at https://spdx.github.io/spdx-spec/4-file-information/ in the following section (see bullet points 1 and 4): image

Despite this, the current Document class does not allow this. While it does have a deprecated 'files' property, that property setter requires that a Package object is provided (via the package property), and all files are associated to that package instead of just being part of the Document's file set per the spec.

In addition, it does not appear that the writer classes (at least the tag/value writer) support this notion either, as all File objects that are serialized are done so as part of a Package.

njv299 avatar Jul 16 '21 16:07 njv299

@licquia, @kestewart, @pombredanne, et al., PR in-progress for this. Will also add Package rdf:hasFile support to parser, more tests, and utilize the unpackaged files capability to address RDF parser bug where all referencesFile Files get added to the last-listed Package*

Aiming to have something, middle of next week.

*e.g.: https://github.com/spdx/tools-python/blob/f5629c7056b21cbca8543ce3eaa805ec74de535a/spdx/parsers/tagvaluebuilders.py#L1034-L1046 via (rdfbuilder extends agvaluebuilders.FileBuilder) https://github.com/spdx/tools-python/blob/f5629c7056b21cbca8543ce3eaa805ec74de535a/spdx/parsers/rdf.py#L1302-L1315

bjamesv avatar Jun 08 '22 19:06 bjamesv