Skip to content

Issue doesnt appear when direct dependency is no longer available while such issue appear for transitive dependencies #8109

New issue
New issue
Open
Bug
Open
Issue doesnt appear when direct dependency is no longer available while such issue appear for transitive dependencies#8109
Bug
Labels
analyzerAbout the analyzer toolquestionAn issue that is actually a questionspdx-utilsAbout the SPDX utility library
@dobringochev

Description

@dobringochev
dobringochev
opened on Jan 12, 2024

Hello there,
Let's say I have a product where in his project.spdx.yml I've got couple of dependencies.
Direct dependencies are with STATIC_LINK relationship while transitive dependencies are with DEPENDS_ON relationship.
So for example I've got./external/transtive-dependency-1 which represent git submodule and it's not available anymore I will get an issue about that in my scan-web-app-report which is fine.
But if /external/direct-dependency-1 (which again is another git submodule) which refers to another repo is not available I'm not getting an issue in my scan-web-app report for some reason.
I believe this should be like that and my expectations are that if for some reason direct dependency is also not available anymore I should receive issue in my scan-web-app-report just like I have for the transitive dependency.
Here is one example of my project.spdx.yml file.

SPDXID: "SPDXRef-DOCUMENT"
spdxVersion: "SPDX-2.2"
creationInfo:
  created: "2023-02-22T00:00:00Z"
  creators:
  - "Organization: ORGX"
name: "ProductX"
documentNamespace: "orgx://company/productx"
documentDescribes:
  - "PDXRef-Package-ProductX"
packages:
# base package
- SPDXID: "PDXRef-Package-ProductX"
  copyrightText: "NONE"
  downloadLocation: "https://productx.company.git"
  filesAnalyzed: false
  homepage: "NONE"
  licenseConcluded: "NONE"
  licenseDeclared: "LicenseRef-Proprietary-CompanyX"
  name: "ProductX"
  originator: "Organization: Company"
# end package
# packages referenced by base package
- SPDXID: "PDXRef-Package-Direct-Dependency-1"
  copyrightText: "NONE"
  downloadLocation: "https://direct-dependency-1.company.git"
  filesAnalyzed: false
  homepage: "https://www.dep1.com"
  licenseConcluded: "NONE"
  licenseDeclared: "Apache-2.0"
  packageFileName: "./external/direct-dependency-1"
  name: "direct-dependency-1"
  originator: "Organization: Supplier1"
# end package
- SPDXID: "PDXRef-Package-Transitive-Dependency-1"
  copyrightText: "NONE"
  downloadLocation: "https://transitive-dependency-1.company.git"
  filesAnalyzed: false
  homepage: "https://www.trans-dep1.com"
  licenseConcluded: "NONE"
  licenseDeclared: "MIT"
  packageFileName: "./external/transtive-dependency-1"
  name: "transitive-dependency-1"
  originator: "Organization: Supplier2"
# end package
#
# define relationships
# pattern:
# - spdxElementId:      "SPDXRef-Package-<somePackage>"
#   relationshipType:   "<relationship>"
#   relatedSpdxElement: "SPDXRef-Package-<basePackage>"
#
relationships:
- spdxElementId:      "PDXRef-Package-ProductX"
  relationshipType:   "STATIC_LINK"
  relatedSpdxElement: "PDXRef-Package-Direct-Dependency-1"
- spdxElementId:      "PDXRef-Package-Direct-Dependency-1"
  relationshipType:   "DEPENDS_ON"
  relatedSpdxElement: "PDXRef-Package-Transitive-Dependency-1"

Metadata

Metadata

Assignees

No one assigned

    Labels

    analyzerAbout the analyzer toolquestionAn issue that is actually a questionspdx-utilsAbout the SPDX utility library

    Type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions