Set documentDescribes to reference the root SPDX element(s) only

Signed-off-by: tdruez <[email protected]>

Author: tdruez

scanpipe/pipes/output.py

@@ -705,15 +705,29 @@ def to_spdx(project, include_files=False):
     discovereddependency_qs = get_queryset(project, "discovereddependency")
 
     document_spdx_id = f"SPDXRef-DOCUMENT-{project.uuid}"
+    project_as_root_package = spdx.Package(
+        spdx_id=f"SPDXRef-scancodeio-project-{project.uuid}",
+        name=project.name,
+        files_analyzed=True,
+    )
     packages_as_spdx = []
     license_expressions = []
     relationships = []
 
     for package in discoveredpackage_qs:
-        packages_as_spdx.append(package.as_spdx())
+        spdx_package = package.as_spdx()
+        packages_as_spdx.append(spdx_package)
+
         if license_expression := package.declared_license_expression:
             license_expressions.append(license_expression)
 
+        spdx_relationship = spdx.Relationship(
+            spdx_id=project_as_root_package.spdx_id,
+            related_spdx_id=spdx_package.spdx_id,
+            relationship="DEPENDS_ON",
+        )
+        relationships.append(spdx_relationship)
+
     for dependency in discovereddependency_qs:
         spdx_relationship = get_dependency_as_spdx_relationship(
             dependency,
@@ -733,6 +747,7 @@ def to_spdx(project, include_files=False):
         spdx_id=document_spdx_id,
         name=f"scancodeio_{project.name}",
         namespace=f"https://scancode.io/spdxdocs/{project.uuid}",
+        describe=project_as_root_package,
         creation_info=spdx.CreationInfo(tool=f"ScanCode.io-{scancodeio_version}"),
         packages=packages_as_spdx,
         files=files_as_spdx,

scanpipe/pipes/spdx.py

@@ -267,7 +267,7 @@ class ExtractedLicensingInfo:
     """
 
     license_id: str
-    extracted_text: str
+    extracted_text: str = "NOASSERTION"
 
     name: str = ""
     comment: str = ""
@@ -542,6 +542,7 @@ class Document:
 
     name: str
     namespace: str
+    describe: Package
     creation_info: CreationInfo
     packages: list[Package]
 
@@ -556,15 +557,18 @@ class Document:
 
     def as_dict(self):
         """Return the SPDX document as a serializable dict."""
+        packages = [self.describe.as_dict()]
+        packages.extend([package.as_dict() for package in self.packages])
+
         data = {
             "spdxVersion": f"SPDX-{self.version}",
             "dataLicense": self.data_license,
             "SPDXID": self.spdx_id,
             "name": self.safe_document_name(self.name),
             "documentNamespace": self.namespace,
+            "documentDescribes": [self.describe.spdx_id],
             "creationInfo": self.creation_info.as_dict(),
-            "packages": [package.as_dict() for package in self.packages],
-            "documentDescribes": [package.spdx_id for package in self.packages],
+            "packages": packages,
         }
 
         if self.files: