tools-java
tools-java copied to clipboard
Published
20 hours ago •
spdx
spdx
Improvement suggestion: list all validation errors at a time
The java tools only lists the first issue it comes across when there is a validation error, even if multiple issues exist. Suggest to list all the validation errors at once. The python tools validation lists all the errors at once. By listing all of the errors at once with the java tooling, SPDX users will have a more consistent user experience. Additionally, users know there are multiple issues up front instead of thinking there is only one error to fix.
When I validate an SBOM with multiple errors using the java tooling:
[rose@fedora]$ java -jar tools-java-1.1.8-jar-with-dependencies.jar Verify ~/scope-antilles-outdated-deps/spdx.json
This SPDX Document is not valid due to:
Relationship error: Relationship error: Relationship error: Invalid license id 'CDDL-1.0-AND-GPL-2.0-only-AND-LicenseRef-Classpath-exception-2.0'. Must start with 'LicenseRef-' and made up of the characters from the set 'a'-'z', 'A'-'Z', '0'-'9', '+', '_', '.', and '-'. in javax.annotation:javax.annotation-api in bazel in bazel in server in server in <sha checksum redacted>
Relationship error: Relationship error: Relationship error: License not found for CDDL-1.0-AND-GPL-2.0-only-AND-LicenseRef-Classpath-exception-2.0 in javax.annotation:javax.annotation-api in bazel in bazel in server in server in <sha checksum redacted>
versus with the same document using python tooling:
[rose@fedora]$ pyspdxtools -i spdx.json
ERROR:root:The document is invalid. The following issues have been found:
Unrecognized license reference: CDDL-1.0-AND-GPL-2.0-only-AND-LicenseRef-Classpath-exception-2.0. license_expression must only use IDs from the license list or extracted licensing info, but is: CDDL-1.0-AND-GPL-2.0-only-AND-LicenseRef-Classpath-exception-2.0
homepage must be a valid URL, but is: https://github.com/KhronosGroup/Vulkan-headers
Unrecognized license reference: LicenseRef-Public-Domain. license_expression must only use IDs from the license list or extracted licensing info, but is: LicenseRef-Public-Domain
