Armin Tänzer
Armin Tänzer
[According to spec](https://spdx.github.io/spdx-spec/v2.3/composition-of-an-SPDX-document/#522-package-information-section), since v2.0 a document does not have to contain a package. This contradicts the [current validation](https://github.com/spdx/tools-python/blob/a9eeb104e2ccd565af9785d909db5a8777e6dd0a/spdx/document.py#L468).
I came across [this line](https://github.com/spdx/tools-python/blob/7b9395589d65c117f541dc43e85895e2f6fb63ee/spdx/parsers/jsonyamlxml.py#L1654) in the code of `jsonyamlxml.py`: ``` # At the moment, only single-package documents are supported, so just the last package will be stored. ``` Multiple...
The [current implementation](https://github.com/spdx/tools-python/blob/a76ded116489be3a06b056f3e1f9d01abce23748/spdx/parsers/xmlparser.py#L53) expects an SPDX document in xml format to be wrapped in `` _and_ `` tags. As can be seen [here](https://github.com/spdx/spdx-spec/blob/development/v2.3.1/examples/SPDXXMLExample-v2.3.spdx.xml), for example, only `` tags are necessary...
This is set up to produce the same SPDX output as the current spdx generation module while utilising the spdx-tools library. The goal is to replace the current module with...
Note: This uses the new version of the SPDX generation introduced in #1233. The old version sports the same errors and a few more that have been already fixed in...
As I'm currently updating the SPDX output of `tern`, I noticed that this part of the code does not seem to be tested (please correct me if I'm wrong and...
While perusing the SPDX generation code, I noticed that [here](https://github.com/tern-tools/tern/blob/62507edfd2d87a878f7c033ab29241da1d0a42f3/tern/formats/spdx/spdxjson/layer_helpers.py#L193) all licenses from files are converted to `LicenseRef`-style license identifiers. This means that these should all show up in `ExtractedLicensingInfo`....
During handling of SPDXLite documents, @meretp encountered a problem that led me to reread the specification on the DESCRIBES relationship. The part I'm referring to is this ([link](https://github.com/spdx/spdx-spec/blob/development/v2.3.1/chapters/relationships-between-SPDX-elements.md?plain=1#L21)): > [a...
The spec [Other licensing information detected](https://spdx.github.io/spdx-spec/v2.3/other-licensing-information-detected/) (aka `ExtractedLicensingInfo`) is confusing regarding the fields `LicenseId` and `ExtractedText`. `LicenseId` has a cardinality of `0..1 conditional (Mandatory, one) if license is not on...
The example was missing the `swid:` prefix. I also changed the formatting to use the one found in other examples like in the Package-Manager section.