[BUG] Relationships in SPDX sbom pointing in wrong direction

[antonbauhofer]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

When creating an SPDX sbom, some of the contained relationships are incorrect.
For example, for the npm/cli repository, the following relationship is determined:
{
"spdxElementId": "SPDXRef-Package-npm-10.1.0",
"relatedSpdxElement": "SPDXRef-Package-npmcli.eslint-config-4.0.2",
"relationshipType": "DEV_DEPENDENCY_OF"
}

Expected Behavior

According to the SPDX specification, the relationship should point in the other direction:
{
"spdxElementId": "SPDXRef-Package-npmcli.eslint-config-4.0.2",
"relatedSpdxElement": "SPDXRef-Package-npm-10.1.0",
"relationshipType": "DEV_DEPENDENCY_OF"
}

Steps To Reproduce

1. Clone the latest unstable master of npm/cli repository according to the contributing manual
2. Create an SPDX sbom with node . sbom --sbom-format spdx
3. Search for any relationships with "relationshipType": "DEV_DEPENDENCY_OF"
4. Compare the identified relationships with those specified in the respective package.json files

Environment

• npm: 10.2.0
• Node.js: 18.12.1
• OS Name: macOS Ventura 13.4
• System Model Name: Irrelevant
• npm config: Irrelevant

[wraithgar]

I don't think this is wrong, this was brought up during the implementation PR and the current direction matches guidance from the SPDX community, namely that

"directionality" of the relationship is implied by the spdxElementId/relatedSpdxElement fields not by the relationshipType

#6801

[bdehamer]

The current implementation was based on guidance that we received from the SPDX maintainers. The way it was explained to me is that the relationship names should be considered non-directional. Most tooling which consumes SBOMs will treat the relationships as a directed graph so the important bit is to make sure that the parent (spdxElementId) / child (relatedSpdxElement) relationship is accurately represented. Switching the references like you've done in your PR breaks the graph.

The fact that some of the relationship labels have inverse variants (DEPENDS_ON vs DEPENDENCY_OF) while others do not (DEV_DEPENDENCY_OF vs ??) make things extra confusing -- but I understand that this will be cleaned-up in SPDX 3.

[maxhbr]

This issue is not resolved and my comment in #6801 was probably missunderstood.

Can you please reopen the ticket? The currently produced SPDX files do not represent the correct dependency tree.

[maxhbr]

I don't think this is wrong, this was brought up during the implementation PR and the current direction matches guidance from the SPDX community, namely that

"directionality" of the relationship is implied by the spdxElementId/relatedSpdxElement fields not by the relationshipType

Hey @wraithgar, that statement is wrong.

There are two parts to that determine "directionality",

1. the type of the relationship and
2. the from and to (which are called spdxElementId and relatedSpdxElement)

Therefore the relationships

  {
      "spdxElementId": "SPDXRef-Package-d-1.0.0",
      "relatedSpdxElement": "SPDXRef-Package-a-1.0.0",
      "relationshipType": "DEPENDENCY_OF"
    }

and

 {
      "spdxElementId": "SPDXRef-Package-a-1.0.0",
      "relatedSpdxElement": "SPDXRef-Package-d-1.0.0",
      "relationshipType": "DEPENDS_ON"
 }

are equivalent, since the label was inverted and the from and to were swapped.

But the following relationships are not equivalent:

  {
      "spdxElementId": "SPDXRef-Package-d-1.0.0",
      "relatedSpdxElement": "SPDXRef-Package-a-1.0.0",
      "relationshipType": "DEPENDENCY_OF"
    },

and

 {
      "spdxElementId": "SPDXRef-Package-d-1.0.0",
      "relatedSpdxElement": "SPDXRef-Package-a-1.0.0",
      "relationshipType": "DEPENDS_ON"
 }

So, the choice of label ("DEPENDENCY_OF" vs "DEPENDS_ON") matters and is done inconsistently in the current implementation (mixing "*_OF" with "*_ON").

[maxhbr]

Most tooling which consumes SBOMs will treat the relationships as a directed graph so the important bit is to make sure that the parent (spdxElementId) / child (relatedSpdxElement) relationship is accurately represented

I agree that the direction of the arrows should not be inverted. Nevertheless the relationshipTypes need to be fixed