tools-python icon indicating copy to clipboard operation
tools-python copied to clipboard

Published 20 hours ago verified publisher icon spdx

Error message when parsing files and mandatory fields are missing.

Open kestewart opened this issue 4 years ago • 9 comments

Using the tools.spdx.dev and feeding in file:

SPDXVersion: SPDX-2.2 DataLicense: CC0-1.0 SPDXID: SPDXRef-DOCUMENT-SAGPM DocumentName: Software Assurance Guardian Point Man (SAG-PM) DocumentNamespace: http://softwareassuranceguardian.com/ Creator: Person: Dick Brooks ([email protected] Creator: Tool: PyInstaller 3.6 Created: 2020-09-08T19:44:17Z

Package: SAG-PM

PackageName:aiodns SPDXID: SPDXRef-aiodns-2.0.0 PackageSupplier: Person:Saúl Ibarra Corretgé PackageVersion: 2.0.0 PackageChecksum: SHA-256: aaa5ac584f40fe778013df0aa6544bf157799bd3f608364b451840ed2c8688de PackageDownloadLocation: purl+pkg:pypi/[email protected] FilesAnalyzed: false

PackageName:altgraph SPDXID: SPDXRef-altgraph-0.17 PackageSupplier: Person:Ronald Oussoren PackageVersion: 0.17 PackageChecksum: SHA-256: c623e5f3408ca61d4016f23a681b9adb100802ca3e3da5e718915a9e4052cebe PackageLicenseConcluded: MIT PackageDownloadLocation: purl+pkg:pypi/[email protected] FilesAnalyzed: false

The error message, “Only one PackageName allowed, extra at line: 21” is confusing and misleading. as I think the problem is missing mandatory fields. But please confirm if this is indeed the case.

kestewart avatar Dec 19 '20 20:12 kestewart

Kate, I have confirmed your speculation, adding the missing fields got me pass this error, perhaps an error like "Missing required fields { missing fields} would be more helpful. Thanks for your help.

rjb4standards avatar Dec 19 '20 20:12 rjb4standards

Moving this over to the new version of the SPDX tools which is now used in the online tools.

goneall avatar Dec 20 '20 00:12 goneall

I'm not able to reproduce the same error.

When I run validate using the above file text, I get an invalid document error due to the SPDX Document Ref.

The SPDXID: SPDXRef-DOCUMENT-SAGPM needs to be replaced with SPDXID: SPDXRef-DOCUMENT per the spec.

When I fix that, I get a different error:

image

Looking at the document, line 10 contains Package: SAG-PM which is not a valid keyword.

When I remove the invalid package, I get the following error:

Analysis exception processing SPDX file: Invalid checksum algorithm: SHA-256: aaa5ac584f40fe778013df0aa6544bf157799bd3f608364b451840ed2c8688de at line number 14

SHA-256 needs to be replaced with SHA256.

Fixing this, I get the error Analysis exception processing SPDX file: Invalid download location pattern purl+pkg:pypi/[email protected]. Must match the pattern ^(NONE|NOASSERTION|(((git|hg|svn|bzr)\+)?(http:\/\/www\.|https:\/\/www\.|http:\/\/|https:\/\/|ssh:\/\/|git:\/\/|svn:\/\/|sftp:\/\/|ftp:\/\/)?[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(:[0-9]{1,5})?(\/.*))|(git\+git@[a-zA-Z0-9\.]+:[a-zA-Z0-9]+)|(bzr\+lp:[a-zA-Z0-9\.]+))$

Removing the download location, I got the following message:

This SPDX Document is not valid due to:
	Package at line 17 invalid: Missing required copyright text for altgraph in altgraph
	Package at line 17 invalid: Missing required download location for package altgraph
	Package at line 17 invalid: Missing required declared license for package altgraph
	Package at line 10 invalid: Missing required concluded license for aiodns in aiodns
	Package at line 10 invalid: Missing required copyright text for aiodns in aiodns
	Package at line 10 invalid: Missing required download location for package aiodns
	Package at line 10 invalid: Missing required declared license for package aiodns

BTW - I did find a separate issue parsing external Ref's while investigating this, issue spdx/spdx-java-tagvalue-store#3

goneall avatar Dec 20 '20 01:12 goneall

Thanks, Gary. I'll tackle these issues. Is there an online, web spdx verifier I can use to check for errors?

rjb4standards avatar Dec 20 '20 15:12 rjb4standards

@rjb4standards Yes - https://tools.spdx.org/app/validate/

I thought that was the origin of these errors.

Are you using the command line tool at https://github.com/spdx/tools?

If so, you can try a more up to date command line tool at https://github.com/spdx/tools-java

goneall avatar Dec 20 '20 18:12 goneall

@rjb4standards Were these error found using the Python parser? If so, you can ignore all my comments above on the error handling and I'll transfer this over to the Python tools repo.

goneall avatar Dec 20 '20 18:12 goneall

Gary, yhe Python parser is reporting these errors, but the online validator, my new best friend, reports no errors. PackageName:spdx-tools SPDXID: SPDXRef-spdx-tools-0.6.1 PackageSupplier: Person:Ahmed H. Ismail PackageVersion: 0.6.1 PackageChecksum: SHA256: 45fa09d43534772ca63bff2dccf1fbde88e1fc9b9515fc7a34ae50540d7ad29c

rjb4standards avatar Dec 20 '20 18:12 rjb4standards

Moving this issue to the Python tools repo

goneall avatar Dec 20 '20 21:12 goneall

This issue seems to be related to #185. Feeding the python parser with the file from above with the mentioned fixes leads to the error:

PackageChecksum must be a single line of text, line: 15
PackageChecksum must be a single line of text, line: 23
Errors while parsing:  True

meretp avatar Oct 17 '22 12:10 meretp

With the current release, the mentioned file can be parsed without errors, so I will close this issue.

meretp avatar Jan 10 '23 11:01 meretp