Skip to content

tag_value writer does not write relationships where package contains file #843

New issue
New issue
Open
Open
tag_value writer does not write relationships where package contains file#843
@arbassett-qnx

Description

@arbassett-qnx
arbassett-qnx
opened on Feb 19, 2025

The tag_value writer seems to be handling relationship writing different than all the other formats specifically around the CONTAINS and CONTAINED_BY between package and files the code for it is here

tools-python/src/spdx_tools/spdx/writer/tagvalue/tagvalue_writer_helper_functions.py

Lines 88 to 107 in a25937f

elif (
relationship.relationship_type == RelationshipType.CONTAINS
and relationship.spdx_element_id in packages_spdx_ids
and relationship.related_spdx_element_id in files_by_spdx_id.keys()
):
contained_files_by_package_id.setdefault(relationship.spdx_element_id, []).append(
files_by_spdx_id[relationship.related_spdx_element_id]
)
if relationship.comment:
relationships_to_write.append(relationship)
elif (
relationship.relationship_type == RelationshipType.CONTAINED_BY
and relationship.related_spdx_element_id in packages_spdx_ids
and relationship.spdx_element_id in files_by_spdx_id
):
contained_files_by_package_id.setdefault(relationship.related_spdx_element_id, []).append(
files_by_spdx_id[relationship.spdx_element_id]
)
if relationship.comment:
relationships_to_write.append(relationship)

for some reason when grouping packages and files the relationship is only written if there is a comment but comments are optional and would be overly verbose to require them in this simple case.

all other formats correctly write the relationships

this can be reproduced using the example code examples/spdx2_document_from_scratch.py and changing the output extention to .spdx

comparing the result from json to tag_value we can see that the relationships are missing in tag value

"relationships": [
        {
            "spdxElementId": "SPDXRef-DOCUMENT",
            "relatedSpdxElement": "SPDXRef-Package",
            "relationshipType": "DESCRIBES"
        },
        {
            "spdxElementId": "SPDXRef-Package",
            "relatedSpdxElement": "SPDXRef-File1",
            "relationshipType": "CONTAINS"
        },
        {
            "spdxElementId": "SPDXRef-Package",
            "relatedSpdxElement": "SPDXRef-File2",
            "relationshipType": "CONTAINS"
        }
    ]
## Relationships
Relationship: SPDXRef-DOCUMENT DESCRIBES SPDXRef-Package

I would expect that the relationships are the same between tag_value and all other formats

I've attached the entire files for reference.
my_spdx_document.spdx.json

my_spdx_document.txt (github wont allow .spdx uploads so renamed to .txt)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions