Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: reverse direction of SPDX SBOM dependency rels #7036

Merged
merged 1 commit into from
Dec 1, 2023
Merged

fix: reverse direction of SPDX SBOM dependency rels #7036

merged 1 commit into from
Dec 1, 2023

Conversation

bdehamer
Copy link
Contributor

As discussed in #6867 some of the relationship types in the SPDX SBOM are using labels which don't match the direction of the relationship. This change fixes generated relationship entries so that the relationshipType aligns with the direction of the dependency relationship being described.

For some types of relationships SPDX defines a pair of related types which can be used to describe dependency relationships from either parent-to-child or child-to-parent. For example:

{
  "spdxElementId": "parent-1.0.0",
  "relatedSpdxElement": "child-1.0.0",
  "relationshipType": "DEPENDS_ON"
}

Which can also be represented as

{
  "spdxElementId": "child-1.0.0",
  "relatedSpdxElement": "parent-1.0.0",
  "relationshipType": "DEPENDENCY_OF"
}

Note how the second example swaps the place of the parent/child and switches the relationship type from "DEPENDS_ON" to "DEPENDENCY_OF".

Unfortunately, not all of the SPDX-supported relationship types have a matched inverse. Specifically, OPTIONAL_DEPENDENCY_OF and DEV_DEPENDENCY_OF have no matching type which would allow the relationship to be reversed (HAS_OPTIONAL_DEPENDENCY and HAS_DEV_DEPENDENCY would make sense, but aren't supported in the SPDX spec).

In order to consistently represent ALL of the different relationships and ensure that the supplied type properly describes the direction of the relationship, we're going to swap the position of the parent/child nodes in the relationship (spdxElementId will always reference the child, while relatedSpdxElement will always reference the parent) and exclusively use the child-to-parent relationship type labels: DEPENDENCY_OF, DEV_DEPENDENCY_OF, OPTIONAL_DEPENDENCY_OF, and PREREQUISITE_FOR.

References

Fixes #6867

@antonbauhofer @bdehamer
fix: reverse direction of SPDX SBOM dep rels
6e1c4eb 
This adjusts the relationships to match the explanations at https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/

Co-authored-by: Brian DeHamer <bdehamer@github.com>
@bdehamer bdehamer requested a review from a team as a code owner November 29, 2023 18:50
@bdehamer bdehamer mentioned this pull request Nov 29, 2023
Closed
@maxhbr
Copy link

maxhbr commented Nov 29, 2023

Thank for reviving our contribution https://github.com/npm/cli/pull/6868/files.

CC: @antonbauhofer

@wraithgar
Copy link
Member

Thanks @bdehamer @maxhbr and @antonbauhofer!

@wraithgar wraithgar merged commit bc7f53d into latest Dec 1, 2023
36 checks passed
@wraithgar wraithgar deleted the bdehamer/spdx-sbom-deps branch December 1, 2023 17:03
@github-actions github-actions bot mentioned this pull request Dec 1, 2023
Merged
@bdehamer bdehamer mentioned this pull request Dec 1, 2023
Merged
@npm-cli-bot npm-cli-bot mentioned this pull request Jan 10, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wraithgar wraithgar wraithgar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[BUG] Relationships in SPDX sbom pointing in wrong direction
4 participants
@bdehamer @maxhbr @wraithgar @antonbauhofer