`Relationships` are ignored during CycloneDX →SPDX conversion

[sharmadi-arista]

Hi,

I've encountered an issue while converting a CycloneDX SBOM to SPDX. It looks like the conversion of dependencies to relationships is currently being completely ignored.

https://github.com/CycloneDX/cyclonedx-dotnet-library/blob/main/src/CycloneDX.Spdx.Interop/Converters/v2_3/SpdxDocumentConverters.cs#L86

It appears that some features are still unimplemented. Is anyone actively working on this, or is there a particular reason these parts haven't been addressed yet? These posses significant gaps in the conversion process.

Thanks you!!

[andreas-hilti]

Hi,

See here:
https://github.com/CycloneDX/cyclonedx-dotnet-library/blob/main/README.md#spdx-interop
in particular

If you are familiar with both formats, and would like to contribute to minimising data loss during conversion, pull requests are welcome :)

With respect to your questions:

Is anyone actively working on this

Not that I'm aware of.

is there a particular reason these parts haven't been addressed yet?

Partly it is just because no one spent the time doing it, partly it is because the notions are not 100% equivalent, i.e. one would need to understand better what can be translated and how. (And this requires rather detailed knowledge of both formats.)

[sharmadi-arista]

Hi,

Thanks for the clarification.

In the coming days, I plan to dive deeper to understand which types of relationships can be reliably converted from CycloneDX to SPDX. I think starting with CycloneDX dependencies (https://cyclonedx.org/docs/1.6/json/#dependencies) is a good entry point. I'm hoping to make contributions in this area.

Thanks!!