I'm not really sure it is optional 'max 1' could very well mean it is only required under certain circumstances e.g. when another option is not set. The spec kind of contradicts itself here: package: "A Package represents a collection of software files that are delivered as a single functional component." files analyzed: "Indicates whether the file content of this package has been available for or subjected to analysis when creating the SPDX document. If false indicates packages that represent metadata or URI references to a project, product, artifact, distribution or a component. If set to false, the package must not contain any files." So if a package is a collection of files it can't not contain files. Besides this what good would a license do in this case? As far as i understand this files_analysed says wether the package has been analysed by some tool during SBOM creation or it's just a reference to an external component with license information attached. Sice we are using information from the rule files (URI + license information, however it got there) and don't use a tool for analysis IMHO adding files_analyses=False is accurate and creates a SBOM that the spdx.org tool considers valid.
Ralf ________________________________ Von: Michael Olbrich <[email protected]> Gesendet: Freitag, 27. Juni 2025 08:45 An: Ralf Glaser <[email protected]> Cc: [email protected] <[email protected]> Betreff: Re: [ptxdist] [PATCH] spdx.py: add filesAnalyzed property On Tue, Jun 03, 2025 at 04:40:24PM +0200, Ralf Glaser wrote: > Add boolean filesAnalyzed property without which > https://tools.spdx.org/app/validate/ > will not recognize the SPDX-SBOM as valid. Hmm, that is strange. If I read the spec[1] correctly then this property is optional. And setting it to false seems incorrect as well: "If set to false, the package must not contain any files." Michael [1] https://spdx.org/rdf/spdx-terms-v2.3/#d4e2963 > Signed-off-by: Ralf Glaser <[email protected]> > --- > scripts/report/spdx.py | 24 ++++++++++++++++++++++++ > 1 file changed, 24 insertions(+) > > diff --git a/scripts/report/spdx.py b/scripts/report/spdx.py > index 96e56af19..f6fc371f8 100644 > --- a/scripts/report/spdx.py > +++ b/scripts/report/spdx.py > @@ -64,6 +64,29 @@ class _String(_Property): > def init(self, source): > return source > > +class _Bool(_Property): > + """ > + A scalar bool property for an SPDX object > + """ > + > + def __init__(self, **kwargs): > + super().__init__(**kwargs) > + > + def set_property(self, attrs, name): > + def get_helper(obj): > + return obj._spdx[name] > + > + def set_helper(obj, value): > + obj._spdx[name] = value > + > + def del_helper(obj): > + del obj._spdx[name] > + > + attrs[name] = property(get_helper, set_helper, del_helper) > + > + def init(self, source): > + return source > + > > class _Object(_Property): > """ > @@ -247,6 +270,7 @@ class SPDXPackage(SPDXObject): > packageFileName = _String() > annotations = _ObjectList(SPDXAnnotation) > checksums = _ObjectList(SPDXChecksum) > + filesAnalyzed = _Bool(default=False) > > > class SPDXFile(SPDXObject): > -- > 2.49.0 > > > -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
