SPDX Import Specifications#
This page explains how FutureVuls interprets and imports the fields of SBOMs in the Linux Foundation SPDX (v2.x) format.
For the format-independent common specifications, such as component type determination and the import of OS and dependency library information, refer to "SBOM Import Specifications". This page explains the SPDX-specific field mappings.
FutureVuls reads the following information from SPDX.
creationInfo#
"creationInfo": {
"creators": [
"Organization: aquasecurity",
"Tool: trivy-0.43.0"
],
"created": "2023-08-08T08:01:33Z"
}
The generation tool is identified from the creators field.
packages#
"packages": [
{
"name": "ami-xxxxxxxxxxxxxxxxx",
"SPDXID": "SPDXRef-Vm-888578fefc6f6735",
"primaryPackagePurpose": "SOURCE"
},
{
"name": "amazon",
"SPDXID": "SPDXRef-OperatingSystem-541077021f563a3e",
"versionInfo": "2023",
"primaryPackagePurpose": "OPERATING-SYSTEM"
},
{
"name": "bash",
"SPDXID": "SPDXRef-Package-2a97fe8298d3deed",
"versionInfo": "4.2.46-34.amzn2023",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:rpm/amazon/bash@4.2.46-34.amzn2023?arch=x86_64"
}
],
"primaryPackagePurpose": "LIBRARY"
},
{
"name": "opt/vuls-saas/vuls",
"SPDXID": "SPDXRef-Application-d72df2bc81701c51",
"attributionTexts": [
"Type: gobinary"
],
"primaryPackagePurpose": "APPLICATION"
},
{
"name": "github.com/vulsio/go-exploitdb",
"SPDXID": "SPDXRef-Package-59634f967256ffb1",
"versionInfo": "v0.4.2",
"externalRefs": [
{
"referenceCategory": "PACKAGE-MANAGER",
"referenceType": "purl",
"referenceLocator": "pkg:golang/github.com/vulsio/go-exploitdb@v0.4.2"
}
],
"primaryPackagePurpose": "LIBRARY"
},
...
]
The type of each entry in packages, the list of software in SPDX, is determined primarily from primaryPackagePurpose.
If primaryPackagePurpose is not specified, the software type is determined using the SPDXID prefix (e.g., SPDXRef-OperatingSystem-xxxx).
primaryPackagePurpose |
SPDXID prefix |
Import |
|---|---|---|
OPERATING-SYSTEM |
SPDXRef-OperatingSystem-... |
Imported as OS information |
APPLICATION |
SPDXRef-Application-... |
Imported as application information |
LIBRARY and others not listed above |
SPDXRef-Package-... |
Imported as either an OS package or a language library |
Note that primaryPackagePurpose: CONTAINER and FILE represent the scan target itself or a file, so they are not imported as dependency packages.
The actual software type of each package (os / library / private) is determined based on the PURL (referenceType: purl) or CPE (referenceType: cpe23 / cpe22) information listed in externalRefs. For the determination rules, refer to "Component Type Determination".
License information listed in licenseConcluded / licenseDeclared is also imported.
relationships#
"relationships": [
{
"spdxElementId": "SPDXRef-DOCUMENT",
"relatedSpdxElement": "SPDXRef-Vm-888578fefc6f6735",
"relationshipType": "DESCRIBES"
},
{
"spdxElementId": "SPDXRef-Vm-888578fefc6f6735",
"relatedSpdxElement": "SPDXRef-OperatingSystem-541077021f563a3e",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-OperatingSystem-541077021f563a3e",
"relatedSpdxElement": "SPDXRef-Package-2a97fe8298d3deed",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Vm-888578fefc6f6735",
"relatedSpdxElement": "SPDXRef-Application-d72df2bc81701c51",
"relationshipType": "CONTAINS"
},
{
"spdxElementId": "SPDXRef-Application-d72df2bc81701c51",
"relatedSpdxElement": "SPDXRef-Package-59634f967256ffb1",
"relationshipType": "CONTAINS"
},
...
]
First, the relationshipType determines whether a relationship is treated as a dependency.
| Category | Examples of relationshipType |
Handling |
|---|---|---|
| Dependency / containment / linking | DEPENDS_ON / CONTAINS / STATIC_LINK / DYNAMIC_LINK, the reverse-direction CONTAINED_BY / DEPENDENCY_OF, and the various *_DEPENDENCY_OF types (RUNTIME_DEPENDENCY_OF, etc.) |
Imported as a dependency |
| Metadata / provenance / lineage | DESCRIBES / GENERATES / ANCESTOR_OF, etc. |
Not imported |
Relationships imported as dependencies are interpreted in the same way as CycloneDX dependencies.
- If the parent is an OS, the packages under it are imported as OS packages.
- If the parent is an application, the packages under it are imported as dependency libraries.
- Nested dependencies are imported recursively.
SPDXIDs that do not appear in anyrelationshipsare imported by referring to their PURL, and are classified as OS packages or dependency libraries.