CLI Convert command ignores documentDescribes and purl properties #307
Description
A) We are trying to consume spdx files generated by https://github.com/microsoft/sbom-tool.
It generates files with following snippets:
"documentDescribes": [
"SPDXRef-RootPackage"
]
and
"relationships": [
{
"relationshipType": "DESCRIBES",
"relatedSpdxElement": "SPDXRef-RootPackage",
"spdxElementId": "SPDXRef-DOCUMENT"
}
],
both seems like equivalents for specifying what spdx file describes. According to https://github.com/spdx/spdx-spec/blob/development/v2.3/schemas/spdx-schema.json and spdx/spdx-spec#395, it seems that package-ref described in relatedSpdxElement ("SPDXRef-RootPackage") should be used as root package of resulting cyclonedx document, metadata.component. Currently it's ignored right now.
As I understand the only caveat here is a multiple components in documentDescribes/DESCRIBES relationships. Could this relationship propagated to metadata.component in case of single value?
B) Another thing that we have interest in is "externalRefs" property that are also completely ignored in case spdx->cyclonedx conversion, but filled in backward conversion.
I can provide PRs for both cases.
For A case I'd like to start discussion, maybe I don't see some things?
For B case I think it should be extended to support all "externalRefs".