Skip to content

Commit bc7f53d

Browse files
bdehamerantonbauhofer
bdehamer
and
antonbauhofer
authored
fix: reverse direction of SPDX SBOM dependency rels (#7036)
fix: reverse direction of SPDX SBOM dep rels This adjusts the relationships to match the explanations at https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/ Co-authored-by: Anton Bauhofer <[email protected]>
1 parent 11ec231 commit bc7f53d

File tree

5 files changed

+129
-129
lines changed

5 files changed

+129
-129
lines changed

lib/utils/sbom-spdx.js

+4-4
Original file line numberDiff line numberDiff line change
@@ -11,10 +11,10 @@ const SPDX_IDENTIFER = 'SPDXRef-DOCUMENT'
1111
const NO_ASSERTION = 'NOASSERTION'
1212

1313
const REL_DESCRIBES = 'DESCRIBES'
14-
const REL_PREREQ = 'HAS_PREREQUISITE'
14+
const REL_PREREQ = 'PREREQUISITE_FOR'
1515
const REL_OPTIONAL = 'OPTIONAL_DEPENDENCY_OF'
1616
const REL_DEV = 'DEV_DEPENDENCY_OF'
17-
const REL_DEP = 'DEPENDS_ON'
17+
const REL_DEP = 'DEPENDENCY_OF'
1818

1919
const REF_CAT_PACKAGE_MANAGER = 'PACKAGE-MANAGER'
2020
const REF_TYPE_PURL = 'purl'
@@ -147,8 +147,8 @@ const toSpdxRelationship = (node, edge) => {
147147
}
148148

149149
return {
150-
spdxElementId: toSpdxID(node),
151-
relatedSpdxElement: toSpdxID(edge.to),
150+
spdxElementId: toSpdxID(edge.to),
151+
relatedSpdxElement: toSpdxID(node),
152152
relationshipType: type,
153153
}
154154
}

tap-snapshots/test/lib/commands/sbom.js.test.cjs

+108-108
Original file line numberDiff line numberDiff line change
@@ -82,14 +82,14 @@ exports[`test/lib/commands/sbom.js TAP sbom --omit dev > must match snapshot 1`]
8282
"relationshipType": "DESCRIBES"
8383
},
8484
{
85-
"spdxElementId": "SPDXRef-Package-test-npm-sbom-1.0.0",
86-
"relatedSpdxElement": "SPDXRef-Package-foo-1.0.0",
87-
"relationshipType": "DEPENDS_ON"
85+
"spdxElementId": "SPDXRef-Package-foo-1.0.0",
86+
"relatedSpdxElement": "SPDXRef-Package-test-npm-sbom-1.0.0",
87+
"relationshipType": "DEPENDENCY_OF"
8888
},
8989
{
90-
"spdxElementId": "SPDXRef-Package-foo-1.0.0",
91-
"relatedSpdxElement": "SPDXRef-Package-dog-1.0.0",
92-
"relationshipType": "DEPENDS_ON"
90+
"spdxElementId": "SPDXRef-Package-dog-1.0.0",
91+
"relatedSpdxElement": "SPDXRef-Package-foo-1.0.0",
92+
"relationshipType": "DEPENDENCY_OF"
9393
}
9494
]
9595
}
@@ -155,9 +155,9 @@ exports[`test/lib/commands/sbom.js TAP sbom --omit optional > must match snapsho
155155
"relationshipType": "DESCRIBES"
156156
},
157157
{
158-
"spdxElementId": "SPDXRef-Package-test-npm-sbom-1.0.0",
159-
"relatedSpdxElement": "SPDXRef-Package-chai-1.0.0",
160-
"relationshipType": "DEPENDS_ON"
158+
"spdxElementId": "SPDXRef-Package-chai-1.0.0",
159+
"relatedSpdxElement": "SPDXRef-Package-test-npm-sbom-1.0.0",
160+
"relationshipType": "DEPENDENCY_OF"
161161
}
162162
]
163163
}
@@ -223,9 +223,9 @@ exports[`test/lib/commands/sbom.js TAP sbom --omit peer > must match snapshot 1`
223223
"relationshipType": "DESCRIBES"
224224
},
225225
{
226-
"spdxElementId": "SPDXRef-Package-test-npm-sbom-1.0.0",
227-
"relatedSpdxElement": "SPDXRef-Package-chai-1.0.0",
228-
"relationshipType": "DEPENDS_ON"
226+
"spdxElementId": "SPDXRef-Package-chai-1.0.0",
227+
"relatedSpdxElement": "SPDXRef-Package-test-npm-sbom-1.0.0",
228+
"relationshipType": "DEPENDENCY_OF"
229229
}
230230
]
231231
}
@@ -435,19 +435,19 @@ exports[`test/lib/commands/sbom.js TAP sbom basic sbom - spdx > must match snaps
435435
"relationshipType": "DESCRIBES"
436436
},
437437
{
438-
"spdxElementId": "SPDXRef-Package-test-npm-sbom-1.0.0",
439-
"relatedSpdxElement": "SPDXRef-Package-foo-1.0.0",
440-
"relationshipType": "DEPENDS_ON"
438+
"spdxElementId": "SPDXRef-Package-foo-1.0.0",
439+
"relatedSpdxElement": "SPDXRef-Package-test-npm-sbom-1.0.0",
440+
"relationshipType": "DEPENDENCY_OF"
441441
},
442442
{
443-
"spdxElementId": "SPDXRef-Package-test-npm-sbom-1.0.0",
444-
"relatedSpdxElement": "SPDXRef-Package-chai-1.0.0",
445-
"relationshipType": "DEPENDS_ON"
443+
"spdxElementId": "SPDXRef-Package-chai-1.0.0",
444+
"relatedSpdxElement": "SPDXRef-Package-test-npm-sbom-1.0.0",
445+
"relationshipType": "DEPENDENCY_OF"
446446
},
447447
{
448-
"spdxElementId": "SPDXRef-Package-foo-1.0.0",
449-
"relatedSpdxElement": "SPDXRef-Package-dog-1.0.0",
450-
"relationshipType": "DEPENDS_ON"
448+
"spdxElementId": "SPDXRef-Package-dog-1.0.0",
449+
"relatedSpdxElement": "SPDXRef-Package-foo-1.0.0",
450+
"relationshipType": "DEPENDENCY_OF"
451451
}
452452
]
453453
}
@@ -547,18 +547,18 @@ exports[`test/lib/commands/sbom.js TAP sbom extraneous dep > must match snapshot
547547
"relationshipType": "DESCRIBES"
548548
},
549549
{
550-
"spdxElementId": "SPDXRef-Package-test-npm-ls-1.0.0",
551-
"relatedSpdxElement": "SPDXRef-Package-foo-1.0.0",
552-
"relationshipType": "DEPENDS_ON"
550+
"spdxElementId": "SPDXRef-Package-foo-1.0.0",
551+
"relatedSpdxElement": "SPDXRef-Package-test-npm-ls-1.0.0",
552+
"relationshipType": "DEPENDENCY_OF"
553553
},
554554
{
555-
"spdxElementId": "SPDXRef-Package-foo-1.0.0",
556-
"relatedSpdxElement": "SPDXRef-Package-dog-1.0.0",
557-
"relationshipType": "DEPENDS_ON"
555+
"spdxElementId": "SPDXRef-Package-dog-1.0.0",
556+
"relatedSpdxElement": "SPDXRef-Package-foo-1.0.0",
557+
"relationshipType": "DEPENDENCY_OF"
558558
},
559559
{
560-
"spdxElementId": "SPDXRef-Package-test-npm-ls-1.0.0",
561-
"relatedSpdxElement": "SPDXRef-Package-chai-1.0.0",
560+
"spdxElementId": "SPDXRef-Package-chai-1.0.0",
561+
"relatedSpdxElement": "SPDXRef-Package-test-npm-ls-1.0.0",
562562
"relationshipType": "OPTIONAL_DEPENDENCY_OF"
563563
}
564564
]
@@ -710,39 +710,39 @@ exports[`test/lib/commands/sbom.js TAP sbom loading a tree containing workspaces
710710
"relationshipType": "DESCRIBES"
711711
},
712712
{
713-
"spdxElementId": "SPDXRef-Package-workspaces-tree-1.0.0",
714-
"relatedSpdxElement": "SPDXRef-Package-a-1.0.0",
715-
"relationshipType": "DEPENDS_ON"
713+
"spdxElementId": "SPDXRef-Package-a-1.0.0",
714+
"relatedSpdxElement": "SPDXRef-Package-workspaces-tree-1.0.0",
715+
"relationshipType": "DEPENDENCY_OF"
716716
},
717717
{
718-
"spdxElementId": "SPDXRef-Package-workspaces-tree-1.0.0",
719-
"relatedSpdxElement": "SPDXRef-Package-d-1.0.0",
720-
"relationshipType": "DEPENDS_ON"
718+
"spdxElementId": "SPDXRef-Package-d-1.0.0",
719+
"relatedSpdxElement": "SPDXRef-Package-workspaces-tree-1.0.0",
720+
"relationshipType": "DEPENDENCY_OF"
721721
},
722722
{
723-
"spdxElementId": "SPDXRef-Package-a-1.0.0",
724-
"relatedSpdxElement": "SPDXRef-Package-c-1.0.0",
725-
"relationshipType": "DEPENDS_ON"
723+
"spdxElementId": "SPDXRef-Package-c-1.0.0",
724+
"relatedSpdxElement": "SPDXRef-Package-a-1.0.0",
725+
"relationshipType": "DEPENDENCY_OF"
726726
},
727727
{
728-
"spdxElementId": "SPDXRef-Package-a-1.0.0",
729-
"relatedSpdxElement": "SPDXRef-Package-d-1.0.0",
730-
"relationshipType": "DEPENDS_ON"
728+
"spdxElementId": "SPDXRef-Package-d-1.0.0",
729+
"relatedSpdxElement": "SPDXRef-Package-a-1.0.0",
730+
"relationshipType": "DEPENDENCY_OF"
731731
},
732732
{
733-
"spdxElementId": "SPDXRef-Package-a-1.0.0",
734-
"relatedSpdxElement": "SPDXRef-Package-baz-1.0.0",
733+
"spdxElementId": "SPDXRef-Package-baz-1.0.0",
734+
"relatedSpdxElement": "SPDXRef-Package-a-1.0.0",
735735
"relationshipType": "DEV_DEPENDENCY_OF"
736736
},
737737
{
738-
"spdxElementId": "SPDXRef-Package-d-1.0.0",
739-
"relatedSpdxElement": "SPDXRef-Package-foo-1.1.1",
740-
"relationshipType": "DEPENDS_ON"
738+
"spdxElementId": "SPDXRef-Package-foo-1.1.1",
739+
"relatedSpdxElement": "SPDXRef-Package-d-1.0.0",
740+
"relationshipType": "DEPENDENCY_OF"
741741
},
742742
{
743-
"spdxElementId": "SPDXRef-Package-foo-1.1.1",
744-
"relatedSpdxElement": "SPDXRef-Package-bar-1.0.0",
745-
"relationshipType": "DEPENDS_ON"
743+
"spdxElementId": "SPDXRef-Package-bar-1.0.0",
744+
"relatedSpdxElement": "SPDXRef-Package-foo-1.1.1",
745+
"relationshipType": "DEPENDENCY_OF"
746746
}
747747
]
748748
}
@@ -825,14 +825,14 @@ exports[`test/lib/commands/sbom.js TAP sbom loading a tree containing workspaces
825825
"relationshipType": "DESCRIBES"
826826
},
827827
{
828-
"spdxElementId": "SPDXRef-Package-workspaces-tree-1.0.0",
829-
"relatedSpdxElement": "SPDXRef-Package-e-1.0.0",
830-
"relationshipType": "DEPENDS_ON"
828+
"spdxElementId": "SPDXRef-Package-e-1.0.0",
829+
"relatedSpdxElement": "SPDXRef-Package-workspaces-tree-1.0.0",
830+
"relationshipType": "DEPENDENCY_OF"
831831
},
832832
{
833-
"spdxElementId": "SPDXRef-Package-workspaces-tree-1.0.0",
834-
"relatedSpdxElement": "SPDXRef-Package-f-1.0.0",
835-
"relationshipType": "DEPENDS_ON"
833+
"spdxElementId": "SPDXRef-Package-f-1.0.0",
834+
"relatedSpdxElement": "SPDXRef-Package-workspaces-tree-1.0.0",
835+
"relationshipType": "DEPENDENCY_OF"
836836
}
837837
]
838838
}
@@ -1051,59 +1051,59 @@ exports[`test/lib/commands/sbom.js TAP sbom loading a tree containing workspaces
10511051
"relationshipType": "DESCRIBES"
10521052
},
10531053
{
1054-
"spdxElementId": "SPDXRef-Package-workspaces-tree-1.0.0",
1055-
"relatedSpdxElement": "SPDXRef-Package-a-1.0.0",
1056-
"relationshipType": "DEPENDS_ON"
1054+
"spdxElementId": "SPDXRef-Package-a-1.0.0",
1055+
"relatedSpdxElement": "SPDXRef-Package-workspaces-tree-1.0.0",
1056+
"relationshipType": "DEPENDENCY_OF"
10571057
},
10581058
{
1059-
"spdxElementId": "SPDXRef-Package-workspaces-tree-1.0.0",
1060-
"relatedSpdxElement": "SPDXRef-Package-b-1.0.0",
1061-
"relationshipType": "DEPENDS_ON"
1059+
"spdxElementId": "SPDXRef-Package-b-1.0.0",
1060+
"relatedSpdxElement": "SPDXRef-Package-workspaces-tree-1.0.0",
1061+
"relationshipType": "DEPENDENCY_OF"
10621062
},
10631063
{
1064-
"spdxElementId": "SPDXRef-Package-workspaces-tree-1.0.0",
1065-
"relatedSpdxElement": "SPDXRef-Package-d-1.0.0",
1066-
"relationshipType": "DEPENDS_ON"
1064+
"spdxElementId": "SPDXRef-Package-d-1.0.0",
1065+
"relatedSpdxElement": "SPDXRef-Package-workspaces-tree-1.0.0",
1066+
"relationshipType": "DEPENDENCY_OF"
10671067
},
10681068
{
1069-
"spdxElementId": "SPDXRef-Package-workspaces-tree-1.0.0",
1070-
"relatedSpdxElement": "SPDXRef-Package-e-1.0.0",
1071-
"relationshipType": "DEPENDS_ON"
1069+
"spdxElementId": "SPDXRef-Package-e-1.0.0",
1070+
"relatedSpdxElement": "SPDXRef-Package-workspaces-tree-1.0.0",
1071+
"relationshipType": "DEPENDENCY_OF"
10721072
},
10731073
{
1074-
"spdxElementId": "SPDXRef-Package-workspaces-tree-1.0.0",
1075-
"relatedSpdxElement": "SPDXRef-Package-f-1.0.0",
1076-
"relationshipType": "DEPENDS_ON"
1074+
"spdxElementId": "SPDXRef-Package-f-1.0.0",
1075+
"relatedSpdxElement": "SPDXRef-Package-workspaces-tree-1.0.0",
1076+
"relationshipType": "DEPENDENCY_OF"
10771077
},
10781078
{
1079-
"spdxElementId": "SPDXRef-Package-workspaces-tree-1.0.0",
1080-
"relatedSpdxElement": "SPDXRef-Package-pacote-1.0.0",
1081-
"relationshipType": "DEPENDS_ON"
1079+
"spdxElementId": "SPDXRef-Package-pacote-1.0.0",
1080+
"relatedSpdxElement": "SPDXRef-Package-workspaces-tree-1.0.0",
1081+
"relationshipType": "DEPENDENCY_OF"
10821082
},
10831083
{
1084-
"spdxElementId": "SPDXRef-Package-a-1.0.0",
1085-
"relatedSpdxElement": "SPDXRef-Package-c-1.0.0",
1086-
"relationshipType": "DEPENDS_ON"
1084+
"spdxElementId": "SPDXRef-Package-c-1.0.0",
1085+
"relatedSpdxElement": "SPDXRef-Package-a-1.0.0",
1086+
"relationshipType": "DEPENDENCY_OF"
10871087
},
10881088
{
1089-
"spdxElementId": "SPDXRef-Package-a-1.0.0",
1090-
"relatedSpdxElement": "SPDXRef-Package-d-1.0.0",
1091-
"relationshipType": "DEPENDS_ON"
1089+
"spdxElementId": "SPDXRef-Package-d-1.0.0",
1090+
"relatedSpdxElement": "SPDXRef-Package-a-1.0.0",
1091+
"relationshipType": "DEPENDENCY_OF"
10921092
},
10931093
{
1094-
"spdxElementId": "SPDXRef-Package-a-1.0.0",
1095-
"relatedSpdxElement": "SPDXRef-Package-baz-1.0.0",
1094+
"spdxElementId": "SPDXRef-Package-baz-1.0.0",
1095+
"relatedSpdxElement": "SPDXRef-Package-a-1.0.0",
10961096
"relationshipType": "DEV_DEPENDENCY_OF"
10971097
},
10981098
{
1099-
"spdxElementId": "SPDXRef-Package-d-1.0.0",
1100-
"relatedSpdxElement": "SPDXRef-Package-foo-1.1.1",
1101-
"relationshipType": "DEPENDS_ON"
1099+
"spdxElementId": "SPDXRef-Package-foo-1.1.1",
1100+
"relatedSpdxElement": "SPDXRef-Package-d-1.0.0",
1101+
"relationshipType": "DEPENDENCY_OF"
11021102
},
11031103
{
1104-
"spdxElementId": "SPDXRef-Package-foo-1.1.1",
1105-
"relatedSpdxElement": "SPDXRef-Package-bar-1.0.0",
1106-
"relationshipType": "DEPENDS_ON"
1104+
"spdxElementId": "SPDXRef-Package-bar-1.0.0",
1105+
"relatedSpdxElement": "SPDXRef-Package-foo-1.1.1",
1106+
"relationshipType": "DEPENDENCY_OF"
11071107
}
11081108
]
11091109
}
@@ -1169,9 +1169,9 @@ exports[`test/lib/commands/sbom.js TAP sbom loading a tree containing workspaces
11691169
"relationshipType": "DESCRIBES"
11701170
},
11711171
{
1172-
"spdxElementId": "SPDXRef-Package-workspaces-tree-1.0.0",
1173-
"relatedSpdxElement": "SPDXRef-Package-pacote-1.0.0",
1174-
"relationshipType": "DEPENDS_ON"
1172+
"spdxElementId": "SPDXRef-Package-pacote-1.0.0",
1173+
"relatedSpdxElement": "SPDXRef-Package-workspaces-tree-1.0.0",
1174+
"relationshipType": "DEPENDENCY_OF"
11751175
}
11761176
]
11771177
}
@@ -1275,19 +1275,19 @@ exports[`test/lib/commands/sbom.js TAP sbom lock file only > must match snapshot
12751275
"relationshipType": "DESCRIBES"
12761276
},
12771277
{
1278-
"spdxElementId": "SPDXRef-Package-test-npm-ls-1.0.0",
1279-
"relatedSpdxElement": "SPDXRef-Package-foo-1.0.0",
1280-
"relationshipType": "DEPENDS_ON"
1278+
"spdxElementId": "SPDXRef-Package-foo-1.0.0",
1279+
"relatedSpdxElement": "SPDXRef-Package-test-npm-ls-1.0.0",
1280+
"relationshipType": "DEPENDENCY_OF"
12811281
},
12821282
{
1283-
"spdxElementId": "SPDXRef-Package-test-npm-ls-1.0.0",
1284-
"relatedSpdxElement": "SPDXRef-Package-chai-1.0.0",
1285-
"relationshipType": "DEPENDS_ON"
1283+
"spdxElementId": "SPDXRef-Package-chai-1.0.0",
1284+
"relatedSpdxElement": "SPDXRef-Package-test-npm-ls-1.0.0",
1285+
"relationshipType": "DEPENDENCY_OF"
12861286
},
12871287
{
1288-
"spdxElementId": "SPDXRef-Package-foo-1.0.0",
1289-
"relatedSpdxElement": "SPDXRef-Package-dog-1.0.0",
1290-
"relationshipType": "DEPENDS_ON"
1288+
"spdxElementId": "SPDXRef-Package-dog-1.0.0",
1289+
"relatedSpdxElement": "SPDXRef-Package-foo-1.0.0",
1290+
"relationshipType": "DEPENDENCY_OF"
12911291
}
12921292
]
12931293
}
@@ -1387,19 +1387,19 @@ exports[`test/lib/commands/sbom.js TAP sbom missing (optional) dep > must match
13871387
"relationshipType": "DESCRIBES"
13881388
},
13891389
{
1390-
"spdxElementId": "SPDXRef-Package-test-npm-ls-1.0.0",
1391-
"relatedSpdxElement": "SPDXRef-Package-foo-1.0.0",
1392-
"relationshipType": "DEPENDS_ON"
1390+
"spdxElementId": "SPDXRef-Package-foo-1.0.0",
1391+
"relatedSpdxElement": "SPDXRef-Package-test-npm-ls-1.0.0",
1392+
"relationshipType": "DEPENDENCY_OF"
13931393
},
13941394
{
1395-
"spdxElementId": "SPDXRef-Package-test-npm-ls-1.0.0",
1396-
"relatedSpdxElement": "SPDXRef-Package-chai-1.0.0",
1397-
"relationshipType": "DEPENDS_ON"
1395+
"spdxElementId": "SPDXRef-Package-chai-1.0.0",
1396+
"relatedSpdxElement": "SPDXRef-Package-test-npm-ls-1.0.0",
1397+
"relationshipType": "DEPENDENCY_OF"
13981398
},
13991399
{
1400-
"spdxElementId": "SPDXRef-Package-foo-1.0.0",
1401-
"relatedSpdxElement": "SPDXRef-Package-dog-1.0.0",
1402-
"relationshipType": "DEPENDS_ON"
1400+
"spdxElementId": "SPDXRef-Package-dog-1.0.0",
1401+
"relatedSpdxElement": "SPDXRef-Package-foo-1.0.0",
1402+
"relationshipType": "DEPENDENCY_OF"
14031403
}
14041404
]
14051405
}

tap-snapshots/test/lib/docs.js.test.cjs

+1-1
Original file line numberDiff line numberDiff line change
@@ -1421,7 +1421,7 @@ SBOM format to use when generating SBOMs.
14211421
* Type: "library", "application", or "framework"
14221422
14231423
The type of package described by the generated SBOM. For SPDX, this is the
1424-
value for the \`primaryPackagePurpose\` fieled. For CycloneDX, this is the
1424+
value for the \`primaryPackagePurpose\` field. For CycloneDX, this is the
14251425
value for the \`type\` field.
14261426
14271427

0 commit comments

Comments
 (0)