My opinion is that it would be useful to be able to express a “known unknown” on the version if the version can’t be determined.
I also agree we should strive to always have a version available. This is especially important in tracking vulnerability information. I just know that there are several situations where this just isn’t possible (e.g. source files copied from an upstream project where no one kept track of the original version). It would be better to have the imperfect package information than no information at all. The NOASSERTION approach seems like a consistent way to represent the “known unknown”. Gary From: Spdx-tech@lists.spdx.org <Spdx-tech@lists.spdx.org> On Behalf Of Dick Brooks Sent: Friday, August 18, 2023 9:53 AM To: l...@google.com; 'SPDX Technical Mailing List' <Spdx-tech@lists.spdx.org> Cc: 'Emrick Donadei' <edona...@google.com>; 'Tyler Pirtle' <r...@google.com> Subject: Re: [spdx-tech] NOASSERTION on PackageVersion field Brandon, REA applies the NOASSERTION value when a PackageVersion is indeterminant, based on guidance provided by the NTIA work effort. This is not an issue with “file components” as no version is required. Thanks, Dick Brooks Active Member of the CISA Critical Manufacturing Sector, Sector Coordinating Council – A Public-Private Partnership <https://reliableenergyanalytics.com/products> Never trust software, always verify and report! ™ <http://www.reliableenergyanalytics.com/> http://www.reliableenergyanalytics.com Email: <mailto:d...@reliableenergyanalytics.com> d...@reliableenergyanalytics.com Tel: +1 978-696-1788 From: Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org> <Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org> > On Behalf Of Brandon Lum via lists.spdx.org Sent: Friday, August 18, 2023 12:16 PM To: SPDX Technical Mailing List <Spdx-tech@lists.spdx.org <mailto:Spdx-tech@lists.spdx.org> > Cc: Emrick Donadei <edona...@google.com <mailto:edona...@google.com> >; Tyler Pirtle <r...@google.com <mailto:r...@google.com> > Subject: [spdx-tech] NOASSERTION on PackageVersion field Hi, In generating some of our SPDX documents, we've (Tyler/Emrick CC'ed) run into situations where the version information of a package is unknown. What comes to mind is to set the version to NOASSERTION. However, this is not currently spelt out in the spec (https://spdx.github.io/spdx-spec/v2.3/package-information/#73-package-version-field). Although semantically, in terms of usage of information, it should be similar, it still lacks the ability to say that "This information is incomplete", with exception of having NOASSERTION be set on the DEPENDS_ON relationship more broadly - which may perhaps be a different discussion altogether. Wanted to get thoughts on this. Cheers Brandon -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#5303): https://lists.spdx.org/g/Spdx-tech/message/5303 Mute This Topic: https://lists.spdx.org/mt/100823660/21656 Group Owner: spdx-tech+ow...@lists.spdx.org Unsubscribe: https://lists.spdx.org/g/Spdx-tech/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
