spdx
How to convert from SPDX 2 to SPDX 3
@goneall The Java tools version 2 have the capability to convert from SPDX 2 to SPDX 3. This is documented at: https://spdx.github.io/Spdx-Java-Library/org/spdx/library/conversion/Spdx2to3Converter.html
But I would like to do it in the command line, not in a Java program.
I used to do something like:
java -jar tools-java-1.1.8-jar-with-dependencies.jar Convert hello.spdx hello.spdx.json
convert from SPDX 2 tag:value to SPDX 2 JSON.
I would have expected that
java -jar tools-java-2.0.0-Alpha-jar-with-dependencies.jar Convert hello.spdx hello.spdx.json
would convert my SPDX 2 tag:value to SPDX 3, but that still converts to SPDX 2 JSON.
Is there a way to convert SPDX 2 to SPDX 3 on the command line?
@vargenau - you can use the file extension .jsonld.json or jsonld and it will convert it to 3.0. Alternatively, you can add the options for the from and to file types:
java -jar tools-java-2.0.0-Alpha-jar-with-dependencies.jar Convert hello.spdx hello.spdx.json TAG JSONLD
Thank you very much @goneall for your answer.
I have created a pull request https://github.com/spdx/tools-java/pull/171 to add it to the README file.
The conversion works, but I have many warnings.
[main] WARN org.spdx.library.model.v2.SpdxElement - No creation info for document Optional[hello]
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
sept. 30, 2024 4:11:43 PM net.jimblackler.jsonschemafriend.Schema <init>
AVERTISSEMENT: No match for #/$defs/ElementCollection
sept. 30, 2024 4:11:43 PM net.jimblackler.jsonschemafriend.Schema <init>
AVERTISSEMENT: No match for #/$defs/security_VexVulnAssessmentRelationship
sept. 30, 2024 4:11:43 PM net.jimblackler.jsonschemafriend.Schema <init>
AVERTISSEMENT: No match for #/$defs/security_VulnAssessmentRelationship
sept. 30, 2024 4:11:43 PM net.jimblackler.jsonschemafriend.Schema <init>
AVERTISSEMENT: No match for #/$defs/software_SoftwareArtifact
@vargenau - I took a look at the code and the warnings above.
The schema related warnings are due to issues with the SPDX spec generated schema file which has been resolved with 3.0.1 - as soon as I update the tools, these should go away.
I wasn't able to duplicate the other warnings - if you can attach the SPDX V2.3 file you used as input, I can take a look.
Hi @goneall Thank you for having a look at my warnings. Input file is here: https://github.com/OpenChain-Project/Telco-WG/blob/main/tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/openchain-telco-sbom-validator-0.1.6.spdx
@vargenau - I was able to duplicate the warnings on the 2.0.0-Alpha version. It looks like all of these are fixed with the released 3.0.1 schema and a few related fixes. Hope to get a new release out soon after we finalize the 3.0.1 spec release.
Hi @goneall
Best wishes for the new year!
I still have some warnings:
janv. 06, 2025 10:42:53 AM net.jimblackler.jsonschemafriend.Schema <init>
AVERTISSEMENT: No match for #/$defs/ElementCollection
janv. 06, 2025 10:42:53 AM net.jimblackler.jsonschemafriend.Schema <init>
AVERTISSEMENT: No match for #/$defs/security_VexVulnAssessmentRelationship
janv. 06, 2025 10:42:53 AM net.jimblackler.jsonschemafriend.Schema <init>
AVERTISSEMENT: No match for #/$defs/security_VulnAssessmentRelationship
janv. 06, 2025 10:42:53 AM net.jimblackler.jsonschemafriend.Schema <init>
AVERTISSEMENT: No match for #/$defs/software_SoftwareArtifact
When running the Validator on the SPDX 3 resulting of the conversion, I have:
AVERTISSEMENT: No match for #/$defs/ElementCollection
janv. 06, 2025 10:43:39 AM net.jimblackler.jsonschemafriend.Schema <init>
AVERTISSEMENT: No match for #/$defs/security_VexVulnAssessmentRelationship
janv. 06, 2025 10:43:39 AM net.jimblackler.jsonschemafriend.Schema <init>
AVERTISSEMENT: No match for #/$defs/security_VulnAssessmentRelationship
janv. 06, 2025 10:43:39 AM net.jimblackler.jsonschemafriend.Schema <init>
AVERTISSEMENT: No match for #/$defs/software_SoftwareArtifact
[main] WARN org.spdx.library.ModelCopyManager - https://spdx.org/licenses/creatoragent/3_26_0 already exists - possibly overwriting properties due to a copy from a different model store.
[main] WARN org.spdx.v3jsonldstore.JsonLDStore - Non element in the serialized graph - __anon__gnrtd0 will not be included in the SPDX document elements
[main] WARN org.spdx.v3jsonldstore.JsonLDStore - Non element in the serialized graph - __anon__gnrtd1 will not be included in the SPDX document elements
[main] WARN org.spdx.v3jsonldstore.JsonLDStore - Non element in the serialized graph - __anon__gnrtd2 will not be included in the SPDX document elements
This SPDX Document is valid.
@vargenau I was able to duplicate the warnings.
The first few warnings "No match for ..." have already been fixed and will be included in the next release candidate.
I'll need to look into the cause of the other warnings.
I added 2 PR's to remove the remaining warnings - fixes should show up in the next release candidate.
@vargenau - I just released 2.0.0-RC2 and updated the online tools which should resolve the issues noted above.
I'll go ahead and close this issue, but if you run into any similar problems please open a new issue.
Hi @goneall Thank you for the fixes. I confirm that it now works for this SBOM. However, I created a new issue: https://github.com/spdx/tools-java/issues/188