From 2b8eb3fab471f8b18dbf93dc0b9df4a7450fb4ea Mon Sep 17 00:00:00 2001
From: Monal-Reddy <monalreddy001@gmail.com>
Date: Thu, 22 Jan 2026 03:52:44 +0530
Subject: [PATCH] Fix SPDX document root dependencies being treated as package
 dependencies

Signed-off-by: Monal-Reddy <monalreddy001@gmail.com>
---
 scanpipe/pipes/resolve.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/scanpipe/pipes/resolve.py b/scanpipe/pipes/resolve.py
index 0a409dd88c..9c94d1c151 100644
--- a/scanpipe/pipes/resolve.py
+++ b/scanpipe/pipes/resolve.py
@@ -365,6 +365,14 @@ def spdx_relationship_to_dependency_data(spdx_relationship):
     else:  # spdx_id depends on related_spdx_id
         for_package_uid = spdx_relationship.spdx_id
         resolve_to_package_uid = spdx_relationship.related_spdx_id
+    
+    # SPDX relationships can originate from the document itself
+    # (SPDXRef-DOCUMENT). In that case, the dependency is a
+    # project-level dependency and must not be treated as a
+    # package-to-package relationship.
+    if for_package_uid == "SPDXRef-DOCUMENT":
+        for_package_uid = None
+
 
     dependency_data = {
         "for_package_uid": for_package_uid,