tools-java
tools-java copied to clipboard
spdx
Conversion from valid SPDX2 gives invalid SPDX3
Hi @goneall
I have a valid SPDX2 file, FN.spdx (uploaded here as FN.spdx.txt).
I convert to SPDX3.
Then the validator gives the following errors:
his SPDX Document is not valid due to:
Relationship error: Relationship error: Missing required license information from files for busybox in FN in FN in FN
Relationship error: Relationship error: Missing required package files for busybox in FN in FN in FN
Relationship error: Relationship error: Missing required package verification code for package busybox in FN in FN in FN
Relationship error: Relationship error: Missing required license information from files for bash in FN in FN in FN
Relationship error: Relationship error: Missing required package files for bash in FN in FN in FN
Relationship error: Relationship error: Missing required package verification code for package bash in FN in FN in FN
Relationship error: Relationship error: Missing required license information from files for base-files in FN in FN in FN
Relationship error: Relationship error: Missing required package files for base-files in FN in FN in FN
Relationship error: Relationship error: Missing required package verification code for package base-files in FN in FN in FN
Relationship error: Relationship error: Missing required license information from files for blkid in FN in FN in FN
Relationship error: Relationship error: Missing required package files for blkid in FN in FN in FN
Relationship error: Relationship error: Missing required package verification code for package blkid in FN in FN in FN
Relationship error: Relationship error: Missing required license information from files for 464xlat in FN in FN in FN
Relationship error: Relationship error: Missing required package files for 464xlat in FN in FN in FN
Relationship error: Relationship error: Missing required package verification code for package 464xlat in FN in FN in FN
Relationship error: Relationship error: Missing required license information from files for block-mount in FN in FN in FN
Relationship error: Relationship error: Missing required package files for block-mount in FN in FN in FN
Relationship error: Relationship error: Missing required package verification code for package block-mount in FN in FN in FN
Relationship error: Missing required license information from files for FN in FN
Relationship error: Missing required package files for FN in FN
Relationship error: Missing required package verification code for package FN in FN
I just ran verify against the attached FN.spdx.txt file and I got the following errors:
This SPDX Document is not valid due to:
Relationship at line 16 invalid: Missing required package files for blkid
Relationship at line 16 invalid: Missing required package verification code for package blkid
Relationship at line 17 invalid: Missing required package files for block-mount
Relationship at line 17 invalid: Missing required package verification code for package block-mount
Relationship at line 18 invalid: Missing required package files for busybox
Relationship at line 18 invalid: Missing required package verification code for package busybox
Relationship at line 11 invalid: Relationship error: Missing required package files for block-mount in FN in FN
Relationship at line 11 invalid: Relationship error: Missing required package verification code for package block-mount in FN in FN
Relationship at line 11 invalid: Relationship error: Missing required package files for base-files in FN in FN
Relationship at line 11 invalid: Relationship error: Missing required package verification code for package base-files in FN in FN
Relationship at line 11 invalid: Relationship error: Missing required package files for blkid in FN in FN
Relationship at line 11 invalid: Relationship error: Missing required package verification code for package blkid in FN in FN
Relationship at line 11 invalid: Relationship error: Missing required package files for busybox in FN in FN
Relationship at line 11 invalid: Relationship error: Missing required package verification code for package busybox in FN in FN
Relationship at line 11 invalid: Relationship error: Missing required package files for bash in FN in FN
Relationship at line 11 invalid: Relationship error: Missing required package verification code for package bash in FN in FN
Relationship at line 11 invalid: Relationship error: Missing required package files for 464xlat in FN in FN
Relationship at line 11 invalid: Relationship error: Missing required package verification code for package 464xlat in FN in FN
Relationship at line 11 invalid: Missing required package files for FN
Relationship at line 11 invalid: Missing required package verification code for package FN
Relationship at line 13 invalid: Missing required package files for 464xlat
Relationship at line 13 invalid: Missing required package verification code for package 464xlat
Relationship at line 14 invalid: Missing required package files for base-files
Relationship at line 14 invalid: Missing required package verification code for package base-files
Relationship at line 15 invalid: Missing required package files for bash
Relationship at line 15 invalid: Missing required package verification code for package bash
Package at line 22 invalid: Relationship error: Missing required package files for block-mount in FN in FN
Package at line 22 invalid: Relationship error: Missing required package verification code for package block-mount in FN in FN
Package at line 22 invalid: Relationship error: Missing required package files for base-files in FN in FN
Package at line 22 invalid: Relationship error: Missing required package verification code for package base-files in FN in FN
Package at line 22 invalid: Relationship error: Missing required package files for blkid in FN in FN
Package at line 22 invalid: Relationship error: Missing required package verification code for package blkid in FN in FN
Package at line 22 invalid: Relationship error: Missing required package files for busybox in FN in FN
Package at line 22 invalid: Relationship error: Missing required package verification code for package busybox in FN in FN
Package at line 22 invalid: Relationship error: Missing required package files for bash in FN in FN
Package at line 22 invalid: Relationship error: Missing required package verification code for package bash in FN in FN
Package at line 22 invalid: Relationship error: Missing required package files for 464xlat in FN in FN
Package at line 22 invalid: Relationship error: Missing required package verification code for package 464xlat in FN in FN
Package at line 22 invalid: Missing required package files for FN
Package at line 22 invalid: Missing required package verification code for package FN
Package at line 33 invalid: Missing required package files for 464xlat
Package at line 33 invalid: Missing required package verification code for package 464xlat
Package at line 45 invalid: Missing required package files for base-files
Package at line 45 invalid: Missing required package verification code for package base-files
Package at line 57 invalid: Missing required package files for bash
Package at line 57 invalid: Missing required package verification code for package bash
Package at line 69 invalid: Missing required package files for blkid
Package at line 69 invalid: Missing required package verification code for package blkid
Package at line 81 invalid: Missing required package files for block-mount
Package at line 81 invalid: Missing required package verification code for package block-mount
Package at line 93 invalid: Missing required package files for busybox
Package at line 93 invalid: Missing required package verification code for package busybox
Relationship error: Relationship error: Missing required license information from files for block-mount in FN in FN in FN
Relationship error: Relationship error: Missing required package files for block-mount in FN in FN in FN
Relationship error: Relationship error: Missing required package verification code for package block-mount in FN in FN in FN
Relationship error: Relationship error: Missing required license information from files for base-files in FN in FN in FN
Relationship error: Relationship error: Missing required package files for base-files in FN in FN in FN
Relationship error: Relationship error: Missing required package verification code for package base-files in FN in FN in FN
Relationship error: Relationship error: Missing required license information from files for blkid in FN in FN in FN
Relationship error: Relationship error: Missing required package files for blkid in FN in FN in FN
Relationship error: Relationship error: Missing required package verification code for package blkid in FN in FN in FN
Relationship error: Relationship error: Missing required license information from files for busybox in FN in FN in FN
Relationship error: Relationship error: Missing required package files for busybox in FN in FN in FN
Relationship error: Relationship error: Missing required package verification code for package busybox in FN in FN in FN
Relationship error: Relationship error: Missing required license information from files for bash in FN in FN in FN
Relationship error: Relationship error: Missing required package files for bash in FN in FN in FN
Relationship error: Relationship error: Missing required package verification code for package bash in FN in FN in FN
Relationship error: Relationship error: Missing required license information from files for 464xlat in FN in FN in FN
Relationship error: Relationship error: Missing required package files for 464xlat in FN in FN in FN
Relationship error: Relationship error: Missing required package verification code for package 464xlat in FN in FN in FN
Relationship error: Missing required license information from files for FN in FN
Relationship error: Missing required package files for FN in FN
Relationship error: Missing required package verification code for package FN in FN
Hi @goneall I had not checked the validity of the file with RC2. However, both tools-python and tools-java version 1.1.8 say the file is valid SPDX. And I do not really understand what the errors are. Could you please clarify what the errors are and how to fix them?
Hi @goneall I had not checked the validity of the file with RC2. However, both tools-python and tools-java version 1.1.8 say the file is valid SPDX. And I do not really understand what the errors are. Could you please clarify what the errors are and how to fix them?
Interesting that 1.1.8 has different results. I'll look into it.
I think most, if not all, the errors are due to the FilesAnalyzed flag not being specified on packages that do not have the files or PackageVerificationCode fields for FilesAnalyzed=True which is the default.
I just looked back in the spec and there isn't any clear mention that these are required. I do recall a discussion where they should be present, but I can remove the checks. @kestewart - any opinion on if these are required?
It's curious that the tools-java version 1.1.8 didn't flag the same issues since that part of the code hasn't really changed.
Hi @goneall
Thank you for the explanation.
Adding FilesAnalyzed: false makes the warning disappear.
In the SPDX 2.2 spec, it says for Package Verification Code:
3.9.3 Cardinality: Mandatory, one if FilesAnalyzed is true or omitted, zero (must be omitted) if FilesAnalyzed is false.
So I think the SBOM is invalid. I would leave the checks.
I have created https://github.com/spdx/tools-python/issues/845 for tools-python.
@vargenau - I'll go ahead and close this based on the above comments - but if you feel it is still an issue, please re-open or create a new issue