Converted spdxjson file not validate for some valid CycloneDX SBOM

[hliu168]

Dear Community,

Thank you for reading this report. There is a CycloneDX SBOM JSON file I generated with CycloneDX Maven Plugin which passed validation of the CLI tool. However, after converting the CycloneDX JSON file into spdxjson format, the converted file failed validation of the spdx java tool (the CLI tool behind SPDX Online Tools). Please find following my command line history running the conversion and validation.

$ ./cyclonedx-linux-x64 --version 0.24.0

Validating the input successful

$ ./cyclonedx-linux-x64 validate --input-file acme-tools.json --input-format json --input-version v1_3 Validating JSON BOM... BOM validated successfully.

$ echo $? 0

Conversion to spdxjson also successful

$ ./cyclonedx-linux-x64 convert --input-file acme-tools.json --output-file acme-tools-spdx.json --input-format json --output-format spdxjson

$ echo $? 0

$ ls acme-tools-spdx.json acme-tools-spdx.json

Validate the output spdxjson file using spdx java tool failed.

$ java -jar tools-java/tools-java-1.0.4-jar-with-dependencies.jar Verify acme-tools-spdx.json WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance. This SPDX Document is not valid due to: object has missing required properties (["licenseDeclared"]) for {"pointer":"/packages/1"} # Issue 1 Document must have at least one relationship of type DOCUMENT_DESCRIBES # Issue 2

$ echo $? 1

To investigate the 2 issues above, please find the origin and converted files attached to this ticket.

For issue 1, I could see in the converted SPDX JSON file there is no "licenseDeclared" property for org.jdom/[email protected]. { "SPDXID": "SPDXRef-pkg:maven/org.jdom/[email protected]?type=jar", "checksums": [ { "algorithm": "MD5", "checksumValue": "86a30c9b1ddc08ca155747890db423b7" }, { "algorithm": "SHA1", "checksumValue": "6f14738ec2e9dd0011e343717fa624a10f8aab64" }, { "algorithm": "SHA256", "checksumValue": "1345f11ba606d15603d6740551a8c21947c0215640770ec67271fe78bea97cf5" }, { "algorithm": "SHA384", "checksumValue": "6240f6747c788c1d512aa1383ff5648dc1c528504010d1dea0667cfa7b291e5521ad70521a8753e52c057edbdc190d36" }, { "algorithm": "SHA512", "checksumValue": "315791dc16bc6240d81da7fee9ae325102ff7db19a57805335d189bc747abc4d1c80144589ebf956613b93b2263c7565fdf171aca0c6c598616eb3f0bdf4cc58" } ], "copyrightText": "NOASSERTION", "description": "A complete, Java-based solution for accessing, manipulating, and outputting XML data", "downloadLocation": "NOASSERTION", "homepage": "NOASSERTION", "licenseConcluded": "NOASSERTION", "licenseInfoFromFiles": [ "NOASSERTION" ], "name": "jdom2", "originator": "NOASSERTION", "supplier": "NOASSERTION", "versionInfo": "2.0.6" },

Where in the original CycloneDX file before conversion, there is a license block for org.jdom/[email protected] { "publisher" : "JDOM", "group" : "org.jdom", "name" : "jdom2", "version" : "2.0.6", "description" : "A complete, Java-based solution for accessing, manipulating, and outputting XML data", "scope" : "required", "hashes" : [ { "alg" : "MD5", "content" : "86a30c9b1ddc08ca155747890db423b7" }, { "alg" : "SHA-1", "content" : "6f14738ec2e9dd0011e343717fa624a10f8aab64" }, { "alg" : "SHA-256", "content" : "1345f11ba606d15603d6740551a8c21947c0215640770ec67271fe78bea97cf5" }, { "alg" : "SHA-384", "content" : "6240f6747c788c1d512aa1383ff5648dc1c528504010d1dea0667cfa7b291e5521ad70521a8753e52c057edbdc190d36" }, { "alg" : "SHA-512", "content" : "315791dc16bc6240d81da7fee9ae325102ff7db19a57805335d189bc747abc4d1c80144589ebf956613b93b2263c7565fdf171aca0c6c598616eb3f0bdf4cc58" }, { "alg" : "SHA3-256", "content" : "e46ea1f3ddd97c9e6a5714ed0e4f981962f4c11c28ec96f63edff801c202921a" }, { "alg" : "SHA3-384", "content" : "5905840ddfa1bdad2bf8cc3b61a0509c438de94585473b5e4a4dccd8c653fe0a97b094b6703b502605b1141ad6b83d23" }, { "alg" : "SHA3-512", "content" : "4db8ae655765f69ffd94f4cfbf1d637a9159bb015af198902449ad0f9654b41aa3ec8695e36c358ce36ec7d3ebb67feafd955be6eefdb5d72f308e95a97ab8a9" } ], "licenses" : [ { "license" : { "name" : "Similar to Apache License but with the acknowledgment clause removed", "url" : "https://raw.github.com/hunterhacker/jdom/master/LICENSE.txt" } } ], "purl" : "pkg:maven/org.jdom/[email protected]?type=jar", "externalReferences" : [ { "type" : "website", "url" : "http://www.jdom.org" }, { "type" : "mailing-list", "url" : "http://jdom.markmail.org/" } ], "type" : "library", "bom-ref" : "pkg:maven/org.jdom/[email protected]?type=jar" },

Thank you for your help in resolving the issues in the CycloneDX CLI tool. I look forward to hearing from you.

Best regards, Robert acme-tools.zip

[stevespringett]

Thanks for reporting. I got the same validation error using the SPDX Online Tool as well.

[volviq]

@stevespringett Is there any plan to become fully spdx compliant so that the validator will show a success? Or is cyclonedx a kind of format fork of the spdx.org format?

[stevespringett]

Or is cyclonedx a kind of format fork of the spdx.org format?

No, certainly not a fork. They are entirely two different formats unrelated to each other. CycloneDX includes support for SPDX licenses and expressions, but other than that, they are very different specifications.

[volviq]

Ok, then I'm not sure, if this issue really is something you want to solve at all. Or my question wasn't sufficiently precise: The format: "spdxjson" selected in the cyclonedx convert option: Does it target compatibility with spdx.org's json format as validated at https://tools.spdx.org/app/ or is this also not the goal of spdxjson, but it actually is a format by its own?

[stevespringett]

The converted spdx document validates against the spdx json schema, but fails the additional business logic validation in the spdx tools.

Likely a defect in the conversion logic.