When producing an SBOM, use Package-URL as spdxId if it is available for a software package.
This would help the element deduplication in SBOM fragments merging use case.
Note that Package-URL may not guaranteed to be unique (see spdx/spdx-spec#1379 (comment)), so we should only do this when the Package-URL is believed to be unique -- for example, fully qualified with exact major.minor.patch version number.
Track SPDX recommendation at:
When producing an SBOM, use Package-URL as spdxId if it is available for a software package.
This would help the element deduplication in SBOM fragments merging use case.
Note that Package-URL may not guaranteed to be unique (see spdx/spdx-spec#1379 (comment)), so we should only do this when the Package-URL is believed to be unique -- for example, fully qualified with exact major.minor.patch version number.
Track SPDX recommendation at: