Fix SPDX relationships in sbom

This adjusts the relationships to match the explanations at https://spdx.github.io/spdx-spec/v2.3/relationships-between-SPDX-elements/ Fixes npm#6867 Signed-off-by: Anton Bauhofer <[email protected]>
antonbauhofer · Oct 5, 2023 · c4042c4 · c4042c4
1 parent 2e4b4ad
commit c4042c4
Show file tree

Hide file tree

Showing 3 changed files with 22 additions and 16 deletions.
diff --git a/lib/utils/sbom-spdx.js b/lib/utils/sbom-spdx.js
@@ -124,25 +124,31 @@ const toSpdxItem = (node, { packageType }) => {
 }
 
 const toSpdxRelationship = (node, edge) => {
-  let type
   switch (edge.type) {
     case 'peer':
-      type = REL_PREREQ
-      break
+      return {
+        spdxElementId: toSpdxID(node),
+        relatedSpdxElement: toSpdxID(edge.to),
+        relationshipType: REL_PREREQ,
+      }
     case 'optional':
-      type = REL_OPTIONAL
-      break
+      return {
+        spdxElementId: toSpdxID(edge.to),
+        relatedSpdxElement: toSpdxID(node),
+        relationshipType: REL_OPTIONAL,
+      }
     case 'dev':
-      type = REL_DEV
-      break
+      return {
+        spdxElementId: toSpdxID(edge.to),
+        relatedSpdxElement: toSpdxID(node),
+        relationshipType: REL_DEV,
+      }
     default:
-      type = REL_DEP
-  }
-
-  return {
-    spdxElementId: toSpdxID(node),
-    relatedSpdxElement: toSpdxID(edge.to),
-    relationshipType: type,
+      return {
+        spdxElementId: toSpdxID(node),
+        relatedSpdxElement: toSpdxID(edge.to),
+        relationshipType: REL_DEP,
+      }
   }
 }
 

diff --git a/tap-snapshots/test/lib/docs.js.test.cjs b/tap-snapshots/test/lib/docs.js.test.cjs
@@ -1421,7 +1421,7 @@ SBOM format to use when generating SBOMs.
 * Type: "library", "application", or "framework"
 
 The type of package described by the generated SBOM. For SPDX, this is the
-value for the \`primaryPackagePurpose\` fieled. For CycloneDX, this is the
+value for the \`primaryPackagePurpose\` field. For CycloneDX, this is the
 value for the \`type\` field.
 
 

diff --git a/workspaces/config/lib/definitions/definitions.js b/workspaces/config/lib/definitions/definitions.js
@@ -1234,7 +1234,7 @@ define('sbom-type', {
   ],
   description: `
     The type of package described by the generated SBOM. For SPDX, this is the
-    value for the \`primaryPackagePurpose\` fieled. For CycloneDX, this is the
+    value for the \`primaryPackagePurpose\` field. For CycloneDX, this is the
     value for the \`type\` field.
   `,
   flatten,