[Question] Does this spec support to describe the transitivity and scope of dependencies

[WestFarmer]

In java's ecosystem, with maven as build tool.

when a project specify it depends on some libraries, those libraries can also depends on other libraries.

for example:

project P -> lib A -> lib B -> lib c

for project P, only lib A is called direct dependency, while B and C are called transitive dependencies.

and dependencies can have scope, for example a project P may depends on lib B, but only for running unit tests.

project P -> lib A 
         \-> lib B(test scope)

what's the corresponding concepts in this spec ?

[bact]

For scoping, I believe you can use LifecycleScopedRelationship

• with scope = test
• with relationshipType = dependsOn

https://spdx.github.io/spdx-spec/v3.0.1/model/Core/Classes/LifecycleScopedRelationship/

[goneall]

Transitive dependencies are handles by creating relationship between the dependent library and their dependencies.

ie:

project P -> lib A : P dependsOn A
         \-> lib B(test scope) : A dependsOn, scope=test B