tools-python icon indicating copy to clipboard operation
tools-python copied to clipboard

Published 20 hours ago verified publisher icon spdx

when files_analyzed is set to false, validation does not comply with specs

Open alpianon opened this issue 5 years ago • 1 comments

According to section 3.8.1, 3.8.3, 3.8.4, 3.9.3 and 3.10.3 of SPDX 2.2 specs:

3.8 Files Analyzed

3.8.1 Purpose: Indicates whether the file content of this package has been available for or subjected to analysis when creating the SPDX document. If false, indicates packages that represent metadata or URI references to a project, product, artifact, distribution or a component. If false, the package must not contain any files.

[...]

3.8.3 Cardinality: Optional, one. If omitted, the default value of true is assumed.

3.8.4 Data Format: Boolean

[...]

3.9 Package Verification Code

[...]

3.9.3 Cardinality: Mandatory, one if FilesAnalyzed is true or omitted, zero (must be omitted) if FilesAnalyzed is false.

[...]

3.10 Package Checksum

3.10.1 Purpose: Provide an independently reproducible mechanism that permits unique identification of a specific package that correlates to the data in this SPDX file. This identifier enables a recipient to determine if any file in the original package has been changed. [...] [...]

3.10.3 Cardinality: Optional, one or many.

So, when files_analyzed is false in a package:

  • there must be no files in the package, so files must not be validated (section 3.8.1)
  • there must be no verif_code, so it must not be validated (section 3.9.3)
  • there may be no check_sum (which is optional, anyway - section 3.10.3), so it should be validated only when it is not None/omitted

And files_analyzed should be validated, too (must be True, False or None (None="omitted"))

The current validation methods of the Package class do not comply with any of the above, because:

  • they try to validate files even when files_analyzed is false and no file must be included in the SPDX doc
  • they try to validate verif_code as mandatory field even when files_analyzed is false and verif_code must not be included
  • they always try to validate check_sum, even if it is an optional field

This leads to validation errors even if the document fully complies with the specs, and, on the other hand, to validation of non-compliant documents.

Finally, in tagvaluebuilder.py, files_analyzed is stored as string in the package object, while it should be stored as boolean.

alpianon avatar Oct 11 '20 10:10 alpianon

I created pull request #150 to solve all the above issues

alpianon avatar Oct 12 '20 11:10 alpianon

As the corresponding PR is closed with the comment that the PR is merged after a rebase, this issue is fixed an can be closed. @nicoweidner

meretp avatar Oct 19 '22 10:10 meretp