When a Package-URL is available, can/should it be used as an spdxId?

[bact]

1. When a Package-URL is available for a software package, can an SBOM producer use it as an spdxId?

2. Should any of these elements (a), (b), and (c) be considered equivalent to another element?

   (a)

   {
     "type": "software_Package",
     "spdxId": "...#Package-1",
     "externalIdentifier": [
       {
         "externalIdentifierType": "packageUrl",
         "identifier": "pkg:pypi/requests@2.28.0"
       }
     ],
     "name": "requests"
   }

   (b)

   {
     "type": "software_Package",
     "spdxId": "...#Package-2",
     "software_packageUrl": "pkg:pypi/requests@2.28.0",
     "name": "requests"
   }

   (c)

   {
     "type": "software_Package",
     "spdxId": "pkg:pypi/requests@2.28.0",
     "name": "requests"
   }

3. From the spec perspective which one, (a), (b), or (c), is a recommended way to record a software package that happens to have a Package-URL?

4. If there is such a preference from (3), should the spec document that? (in which chapter/section?)

5. Do SBOM consumers support Package-URL scheme in spdxId?

---

There can be at least two contexts that relevant to these questions:

i) in-document element deduplication (including in SBOM merging use case)
ii) cross-document references

[goneall]

I don't think package URLs are guaranteed to be unique - for example, if the version is not known / encoded (the version is optional in the PURL spec). For this reason, I would not suggest using it as an SPDX ID which must be globally unique.

From the discussions we had in creating version 3 of the spec, option b) would be preferred. The property was added per the request of the package URL community even though it does overlap with the externalIdentifierType.