Augment does not handle SPDX DESCRIBES relationships properly

[par-anderssonTE]

If augmenting a primary SBOM that does not have a DESCRIBES relationship (not mandatory when there is only one package), DESCRIBES relationships will be added for the augmenting packages (maybe copied from the original secondary input?) but no DESCRIBES relationship is created for the original primary package (which would be mandatory now that there is more than one package/files).

I believe that the specification compliant result after augment (or any merge really) should be:

Primary document/package DESCRIBES SHALL be added if missing when augmenting with additional packages.
Secondary package DESCRIBES sSHALL NOT be created/copied.

The SPDX specification definition of DESCRIBES is a little bit confusing but my interpretation is that a document:
CAN have a document -> package DESCRIBES relationship if there is only one package in the document.
SHALL have a DESCRIBES relationship to the PRIMARY package in the SBOM if there are more than one package included.
SHALL NOT have DESCRIBES relationships to other packages.

I don't know if augment is the only merge strategy that has this problem, but hierarchical seems to behave as expected at least.

[riteshnoronha]

Thanks for pointing this out, i did not know the DESCRIBES is not mandatory for single package SPDX sboms. I dont believe this is an issue with other merge types as we always construct it.

In augment we are just enriching, the existing primary sbom. Hence we missed checking this.

Got a fix ready. will have it in our next release #233

[riteshnoronha]

@viveksahu26 we should consider adding this check to sbomqs too, as currently we would be penalizing sboms with single packages as missing primary components.

[riteshnoronha]

@par-anderssonTE thanks for this suggestion, the changes have been merged.