Inclusion of File Download Location, Supplier, and Version in SPDX File Information Section

[nishanthsankaran]

As per 5.2.3 File information section, If a file is not part of any package, it shall precede any package information section reference in the SPDX document.

The SPDX specification 2.3 for the File Information section does not include fields for FileDownloadLocation, supplier of the file, file version , similar to the Package Information section. This omission makes it challenging to document these details for files that are not part of any package.

[nishanthsankaran]

Additianl Detials :

As per the NTIA Minimum Elements, the SBOM should document baseline information about each component, including:

• Supplier
• Component Name
• Version of the Component
• Other Unique Identifiers
• Dependency Relationship
• Author of SBOM Data
• Timestamp

Mapping NTIA SBOM Minimum Elements to SPDX

The following table shows how the NTIA-required fields map to SPDX fields, as detailed in the SPDX specification for Executive Order 14028:

NTIA SBOM Minimum Field	Satisfying SPDX Field
Author Name	(6.8) Creator
Supplier Name	(7.5) Package Supplier
Component Name	(7.1) Package Name
Version String	(7.3) Package Version
Component Hash	(7.10) Package Checksum
Unique Identifier	(7.2) Package SPDX Identifier, (6.5) SPDX Document Namespace
Relationship	(11.1) Relationship: CONTAINS, DESCRIBES. The document must DESCRIBES at least one package.
Timestamp	(6.9) Created

Component Definition

As defined in NTIA's SBOM Minimum Elements Report (Appendix B: Glossary, page 25), a component is a unit of software defined by a supplier at the time the component is built, packaged, or delivered. Many components may contain subcomponents. Examples of components include a software product, a device, a library, or a single file.

Issue with Non-Package Components

For files obtained from a third-party source that aren't associated with a package, SPDX currently lacks a direct way to tag NTIA Minimum Elements like Supplier Name, Version, or metadata such as the file download URL, as these fields are generally package-specific. This makes it challenging to track important metadata for standalone files.

[zvr]

Since "Package" is defined as "any unit of content that can be associated with a distribution of software", if you are obtaining a file, this is essentially a Package (containing only this file).

You can, therefore, have all the corresponding properties like Supplier and DownloadLocation.

[goneall]

Adding to @zvr comment above - it is perfectly fine, and even common, to have a package with a single file. In the SPDX spec, we distinguish between information about a file in the File class and information about a distributed file in the Package class.

You can use the contains relationship to indicate the file is contained in the package. If the file is the only thing being distributed, you can use the hasDistributionArtifact relationship from the package to the file.

[nishanthsankaran]

Thank you very much, @zvr and @goneall, for your explanation.