Merge pull request #189 from DanielOjalvo/DanielOjalvo/issue186

Find the DESCRIBES relationship by looking through attached packages
spdx · Jun 29, 2024 · 3b485ac · 3b485ac
2 parents 4f96d8e + 4282b5f
commit 3b485ac
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/ntia_conformance_checker/sbom_checker.py b/ntia_conformance_checker/sbom_checker.py
@@ -69,9 +69,13 @@ def check_dependency_relationships(self):
             if rel.relationship_type == RelationshipType.DESCRIBES
         ]
 
+        # A set of all package spdx_ids for quick lookup
+        spdx_id_set = {package.spdx_id for package in self.doc.packages}
+
         # Check if any of the "DESCRIBES" relationships describe a Package
         describes_package = any(
-            "Package" in rel.related_spdx_element_id for rel in describes_relationships
+            rel.related_spdx_element_id in spdx_id_set
+            for rel in describes_relationships
         )
 
         return describes_package