Support for DEPENDENCY_MANIFEST_OF and DEPENDENCY_OF relationships

[rhyskoedijk]

Firstly, thanks so much for this tool, it's incredibly useful.

I'd like to know if you're open to accepting a contribution for DEPENDENCY_MANIFEST_OF and DEPENDENCY_OF relationships? Support for these relationships would be useful to identify where a package originates from in cases such as fixing vulnerable packages, consolidating package versions, generating human-friendly visualisation of the dependency graph, etc.

I managed to add support for this using the LocationsFoundAt info returned by component detector and I'd be happy to submit a PR if you are open to it, but just wanted to check if this is sane or not first; If I'm missing something obvious or this is outside the scope of the tool, let me know.

Example

Given this .NET project:

<Project Sdk="Microsoft.NET.Sdk">
  <PropertyGroup>
    <TargetFrameworks>net8.0</TargetFrameworks>
    <OutputType>WinExe</OutputType>
  </PropertyGroup>
  <ItemGroup>
    <PackageReference Include="System.Text.Json" Version="8.0.0" />
  </ItemGroup>
</Project>

I currently get this manifest.spdx.json:

{
  "files": [
    {
      "fileName": "./bin/release/Project.exe",
      "SPDXID": "SPDXRef-File--bin-release-net8.0-Project.exe-526E4EB84DC095345E87FCA6D52189094264D6D0",
      "checksums": [
        {
          "algorithm": "SHA256",
          "checksumValue": "fb5f70d84e9d7614df4849ec4059943efaff43da96b205e1deabfe1df1177ca4"
        },
        {
          "algorithm": "SHA1",
          "checksumValue": "526e4eb84dc095345e87fca6d52189094264d6d0"
        }
      ],
      "licenseConcluded": "NOASSERTION",
      "licenseInfoInFiles": [
        "NOASSERTION"
      ],
      "copyrightText": "NOASSERTION"
    },
    {
      "fileName": "./bin/release/Project.dll",
      "SPDXID": "SPDXRef-File--bin-release-net8.0-Project.dll-4E3FCF7FEF2C90A3D717484DE4BFC4C12C82EA80",
      "checksums": [
        {
          "algorithm": "SHA256",
          "checksumValue": "746048ab703f0187ddf878613f6bd4a1b50ef21a2aec5d7040a014ae5d852f02"
        },
        {
          "algorithm": "SHA1",
          "checksumValue": "4e3fcf7fef2c90a3d717484de4bfc4c12c82ea80"
        }
      ],
      "licenseConcluded": "NOASSERTION",
      "licenseInfoInFiles": [
        "NOASSERTION"
      ],
      "copyrightText": "NOASSERTION"
    }
  ],
  "packages": [
    {
      "name": "System.Text.Json",
      "SPDXID": "SPDXRef-Package-D010D6803532B8F44E031576D059B01154585F59FD75B33C044C7A658BBB47D3",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "licenseConcluded": "NOASSERTION",
      "licenseDeclared": "NOASSERTION",
      "copyrightText": "NOASSERTION",
      "versionInfo": "8.0.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:nuget/[email protected]"
        }
      ],
      "supplier": "NOASSERTION"
    },
    {
      "name": "System.Text.Encodings.Web",
      "SPDXID": "SPDXRef-Package-D595C7CA243D238A94C6D0F9277EB98AE42EDA370259D4615A58E5BE78BAD562",
      "downloadLocation": "NOASSERTION",
      "filesAnalyzed": false,
      "licenseConcluded": "NOASSERTION",
      "licenseDeclared": "NOASSERTION",
      "copyrightText": "NOASSERTION",
      "versionInfo": "8.0.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:nuget/[email protected]"
        }
      ],
      "supplier": "NOASSERTION"
    },
    {
      "name": "My Package",
      "SPDXID": "SPDXRef-RootPackage",
      "downloadLocation": "NOASSERTION",
      "packageVerificationCode": {
        "packageVerificationCodeValue": "fb4d5230aa30e81073c2ba6428215a065407b803"
      },
      "filesAnalyzed": true,
      "licenseConcluded": "NOASSERTION",
      "licenseInfoFromFiles": [
        "NOASSERTION"
      ],
      "licenseDeclared": "NOASSERTION",
      "copyrightText": "NOASSERTION",
      "versionInfo": "1.0.0",
      "externalRefs": [
        {
          "referenceCategory": "PACKAGE-MANAGER",
          "referenceType": "purl",
          "referenceLocator": "pkg:swid/Rhys%20Koedijk/rhys.koedijk.co.nz/My%[email protected]?tag_id=9aa48caa-cd3c-4f14-9c8b-d35762bc3f5b"
        }
      ],
      "supplier": "Organization: Rhys Koedijk",
      "hasFiles": [
        "SPDXRef-File--bin-release-net8.0-Project.dll-4E3FCF7FEF2C90A3D717484DE4BFC4C12C82EA80",
        "SPDXRef-File--bin-release-net8.0-Project.exe-526E4EB84DC095345E87FCA6D52189094264D6D0"
      ]
    }
  ],
  "externalDocumentRefs": [],
  "relationships": [
    {
      "relationshipType": "DESCRIBES",
      "relatedSpdxElement": "SPDXRef-RootPackage",
      "spdxElementId": "SPDXRef-DOCUMENT"
    },
    {
      "relationshipType": "DEPENDS_ON",
      "relatedSpdxElement": "SPDXRef-Package-D010D6803532B8F44E031576D059B01154585F59FD75B33C044C7A658BBB47D3",
      "spdxElementId": "SPDXRef-RootPackage"
    },
    {
      "relationshipType": "DEPENDS_ON",
      "relatedSpdxElement": "SPDXRef-Package-D595C7CA243D238A94C6D0F9277EB98AE42EDA370259D4615A58E5BE78BAD562",
      "spdxElementId": "SPDXRef-Package-D010D6803532B8F44E031576D059B01154585F59FD75B33C044C7A658BBB47D3"
    }
  ],
  "spdxVersion": "SPDX-2.2",
  "dataLicense": "CC0-1.0",
  "SPDXID": "SPDXRef-DOCUMENT",
  "name": "My Package 1.0.0",
  "documentNamespace": "http://rhys.koedijk.co.nz//My%20Package/1.0.0/NnNU1xiiE0uPmellUYxayA",
  "creationInfo": {
    "created": "2024-12-04T02:18:13Z",
    "creators": [
      "Organization: Rhys Koedijk",
      "Tool: Microsoft.SBOMTool-0.0.0-preview.0.366"
    ]
  },
  "documentDescribes": [
    "SPDXRef-RootPackage"
  ]
}

Which can be visualised as:

I would like to see additional relationships for DEPENDENCY_MANIFEST_OF and DEPENDENCY_OF, e.g.
(element ids are just for illustration)

    {
      "relationshipType": "DEPENDENCY_MANIFEST_OF",
      "relatedSpdxElement": "SPDXRef-RootPackage",
      "spdxElementId": "/src/Project.csproj"
    },
    {
      "relationshipType": "DEPENDENCY_OF",
      "relatedSpdxElement": "/src/Project.csproj",
      "spdxElementId": "System.Text.Json"
    },
    {
      "relationshipType": "DEPENDENCY_OF",
      "relatedSpdxElement": "/src/Project.csproj",
      "spdxElementId": "System.Text.Encodings.Web"
    },

Which could be visualised as:

[pragnya17]

Hi @rhyskoedijk thanks for the details! Before moving forward, I have a few follow up questions -

1. It seems like the main purpose of adding these relationships is to encapsulate information about the .csproj files in the dependency graph? Is this correct? If not, what are some other use cases for this?
2. The DEPENDENCY_OF and DEPENDENCY_MANIFEST_OF relationships can also be expressed as DEPENDS_ON relationships, is there a specific reason why we need to introduce new relationship? I am not sure what extra information this would provide.

[rhyskoedijk]

It seems like the main purpose of adding these relationships is to encapsulate information about the .csproj files in the dependency graph?

Correct; I want to identify the dependency references/manifest file of the package.

The DEPENDENCY_OF and DEPENDENCY_MANIFEST_OF relationships can also be expressed as DEPENDS_ON relationships, is there a specific reason why we need to introduce new relationship?

My understanding of the relationships is that DEPENDS_ON is describing build/runtime dependency relationships where as DEPENDENCY_MANIFEST_OF and DEPENDENCY_OF are describing where the dependency is declared/defined. I believe all three relationships provide unique and useful information. However, I could also just be misunderstanding the purpose of these relationships.

Relationship	Description	Example
DEPENDS_ON	Is to be used when SPDXRef-A depends on SPDXRef-B.	Package A depends on the presence of package B in order to build and run
DEPENDENCY_OF	Is to be used when SPDXRef-A is dependency of SPDXRef-B.	A is explicitly stated as a dependency of B in a machine-readable file. Use when a package manager does not define scopes.
DEPENDENCY_MANIFEST_OF	Is to be used when SPDXRef-A is a manifest file that lists a set of dependencies for SPDXRef-B.	A file package.json is the dependency manifest of a package foo. Note that only one manifest should be used to define the same dependency graph.

https://spdx.github.io/spdx-spec/v2.2.2/relationships-between-SPDX-elements

I am not sure what extra information this would provide.

It would tell me exactly where each dependency is declared, so that an automated tool can then suggest an update for the file (if required).

For context, I recently wrote an Azure DevOps extension that uses sbom-tool to automate several dependency vulnerability and reporting needs I have. I am interested in this information so that the tool can suggest where and how to fix dependency issues:
https://marketplace.visualstudio.com/items?itemName=rhyskoedijk.sbom-tool

[pragnya17]

Thank you for the details! I see the argument for the use case, however I still think this problem could be solved with the existing relationships/changing the scope under which the SBOMs are generated. Introducing new relationships means we would have to make internal changes to how SBOMs are generated and parsed, which introduces more complexities to the tool.

Since the generation of SBOMs for solutions/projects depends on the use case, we think that discussing with your legal team/admin on the requirements for generating these SBOMs would be a good place to start.