You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I see for instance this snippet in an SPDX output:
"packages": [
{
"name": "apache-tomcat",
"SPDXID": "SPDXRef-scancodeio-discoveredpackage-689de760-7611-4d26-8fa7-2dcfee8440ac",
"downloadLocation": "https://archive.apache.org/dist/tomcat/tomcat-9/v9.0.82/bin/apache-tomcat-9.0.82.tar.gz",
"licenseConcluded": "Apache-2.0 AND bzip2-1.0.6 AND CDDL-1.0 AND CPL-1.0 AND EPL-1.0 AND LZMA-exception AND Zlib",
"copyrightText": "Copyright 1999-2023 The Apache Software Foundation",
"filesAnalyzed": false,
"versionInfo": "9.0.82",
"licenseDeclared": "Apache-2.0 AND bzip2-1.0.6 AND CDDL-1.0 AND CPL-1.0 AND EPL-1.0 AND LZMA-exception AND Zlib",
"packageFileName": "*tomcat-9.0.82/*",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:generic/[email protected]"
}
],
This came from a d2d pipeline with an ABOUT file with this:
The field is optional, and makes not much sense at scale as a package can have one or more paths or files or archives with includes and excludes and the name of its compressed archive has usually little value or bearing on what we see on disk.
I think it would be better to exclude packageFileName entirely from the SPDX output as it is not well specified and not practically usable for actual real life cases.
The text was updated successfully, but these errors were encountered:
I see for instance this snippet in an SPDX output:
This came from a d2d pipeline with an ABOUT file with this:
https://spdx.github.io/spdx-spec/v2.3/package-information/#74-package-file-name-field
The field is optional, and makes not much sense at scale as a package can have one or more paths or files or archives with includes and excludes and the name of its compressed archive has usually little value or bearing on what we see on disk.
I think it would be better to exclude packageFileName entirely from the SPDX output as it is not well specified and not practically usable for actual real life cases.
The text was updated successfully, but these errors were encountered: