From 2b8eb3fab471f8b18dbf93dc0b9df4a7450fb4ea Mon Sep 17 00:00:00 2001
From: Monal-Reddy <monalreddy001@gmail.com>
Date: Thu, 22 Jan 2026 03:52:44 +0530
Subject: [PATCH 1/2] Fix SPDX document root dependencies being treated as
 package dependencies

Signed-off-by: Monal-Reddy <monalreddy001@gmail.com>
---
 scanpipe/pipes/resolve.py | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/scanpipe/pipes/resolve.py b/scanpipe/pipes/resolve.py
index 0a409dd88c..9c94d1c151 100644
--- a/scanpipe/pipes/resolve.py
+++ b/scanpipe/pipes/resolve.py
@@ -365,6 +365,14 @@ def spdx_relationship_to_dependency_data(spdx_relationship):
     else:  # spdx_id depends on related_spdx_id
         for_package_uid = spdx_relationship.spdx_id
         resolve_to_package_uid = spdx_relationship.related_spdx_id
+    
+    # SPDX relationships can originate from the document itself
+    # (SPDXRef-DOCUMENT). In that case, the dependency is a
+    # project-level dependency and must not be treated as a
+    # package-to-package relationship.
+    if for_package_uid == "SPDXRef-DOCUMENT":
+        for_package_uid = None
+
 
     dependency_data = {
         "for_package_uid": for_package_uid,

From 780488eeedd7a91f2f00305c3166aeb4a2e03acb Mon Sep 17 00:00:00 2001
From: Monal-Reddy <monalreddy001@gmail.com>
Date: Sun, 22 Mar 2026 10:32:40 +0530
Subject: [PATCH 2/2] Fix SPDX document dependency handling and add test

Signed-off-by: Monal-Reddy <monalreddy001@gmail.com>
---
 scanpipe/pipes/resolve.py            |  8 ++------
 scanpipe/tests/pipes/test_resolve.py | 19 +++++++++++++++++++
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/scanpipe/pipes/resolve.py b/scanpipe/pipes/resolve.py
index 9c94d1c151..ec66c4cd14 100644
--- a/scanpipe/pipes/resolve.py
+++ b/scanpipe/pipes/resolve.py
@@ -365,15 +365,11 @@ def spdx_relationship_to_dependency_data(spdx_relationship):
     else:  # spdx_id depends on related_spdx_id
         for_package_uid = spdx_relationship.spdx_id
         resolve_to_package_uid = spdx_relationship.related_spdx_id
-    
-    # SPDX relationships can originate from the document itself
-    # (SPDXRef-DOCUMENT). In that case, the dependency is a
-    # project-level dependency and must not be treated as a
-    # package-to-package relationship.
+
+    # SPDXRef-DOCUMENT represents the project; treat as project-level dependency
     if for_package_uid == "SPDXRef-DOCUMENT":
         for_package_uid = None
 
-
     dependency_data = {
         "for_package_uid": for_package_uid,
         "resolve_to_package_uid": resolve_to_package_uid,
diff --git a/scanpipe/tests/pipes/test_resolve.py b/scanpipe/tests/pipes/test_resolve.py
index 2c7aa33bcb..e4a78afa9d 100644
--- a/scanpipe/tests/pipes/test_resolve.py
+++ b/scanpipe/tests/pipes/test_resolve.py
@@ -376,3 +376,22 @@ def test_scanpipe_resolve_get_manifest_headers(self):
         ]
         headers = resolve.get_manifest_headers(resource)
         self.assertEqual(expected, list(headers.keys()))
+
+    def test_spdx_document_root_becomes_project_dependency(self):
+        spdx_relationship_data = {
+            "spdxElementId": "SPDXRef-DOCUMENT",
+            "relatedSpdxElement": "SPDXRef-packageA",
+            "relationshipType": "DEPENDS_ON",
+        }
+
+        spdx_relationship = spdx.Relationship.from_data(spdx_relationship_data)
+
+        dependency_data = resolve.spdx_relationship_to_dependency_data(
+            spdx_relationship
+        )
+
+        self.assertIsNone(dependency_data["for_package_uid"])
+        self.assertEqual(
+            "SPDXRef-packageA",
+            dependency_data["resolve_to_package_uid"],
+        )