tools-java icon indicating copy to clipboard operation
tools-java copied to clipboard
verified publisher icon spdx

Failed to convert valid RDF type SBOM into another format

Open boravinod145 opened this issue 8 months ago • 4 comments

Description

There is a failure in converting the valid RFD type SBOM into another format.

During verification, it produces some license-related warnings but confirms that the SBOM is valid. However, it results in an error during conversion:

Error converting: Error converting SPDX file: class java.lang.RuntimeException org.spdx.spdxRdfStore.SpdxRdfException: http://spdx.org/rdf/terms#isDeprecatedLicenseId was not found related to class http://spdx.org/rdf/terms#ListedLicenseException

Steps to reproduce

  1. Download the SBOM zip and extract it - nginx_1.27-spdx-1.zip
  2. Verify the SBOM java -jar ./tools-java/target/tools-java-2.0.1-jar-with-dependencies.jar Verify /Downloads/nginx_1.27-spdx-1.rdf
  3. Convert sbom into JSON format java -jar ./tools-java/target/tools-java-2.0.1-jar-with-dependencies.jar Convert /Downloads/nginx_1.27-spdx-1.rdf test.json

boravinod145 avatar Apr 29 '25 12:04 boravinod145

Thanks for reporting the issue. Do you mind to rename nginx_1.27-spdx-1.rdf to nginx_1.27-spdx-1.rdf.txt and attach it as a text file please? In an open environment like this, it is less awkward to download .txt file than to download and extract .zip file.

bact avatar Apr 29 '25 13:04 bact

@boravinod145 - thanks for reporting the issue.

In looking at the RDF file, the license exceptions include a property spdx:isDeprecatedLicenseId which is not defined in the SPDX RDF OWL ontology (reference http://spdx.org/rdf/terms#ListedLicenseException). I checked and the Java model also does not implement this property. Removing this property from the RDF file should fix the issue.

Can you share how the original RDF file was generated? There may be an issue with the generation software.

Also - there is an issue that Verify did not report this as an issue.

I will look into why Verify didn't report this.

goneall avatar Apr 29 '25 18:04 goneall

I figured out why Verify didn't report the issue. Verify goes through all the known properties for a given model class and verifies them. It doesn't go through any additional properties found in the actual RDF file, so the extra property was ignored.

When converting, all of the properties of the source file are read.

I noticed in the code, there is a comment: //TODO: Implement verification against the OWL schema - implementing this would potentially fix the issue.

We could also fix this by going through all the properties in the RDF file similar to convert - but that would be a design change to how verify works.

Finally, we could just ignore any additional properties in the RDF file and fix convert so that it will ignore them as well.

goneall avatar Apr 29 '25 18:04 goneall

Thank you, @goneall, for your prompt investigation, which allowed me to rule out the cause from the converted SBOM.

This SBOM was initially generated in tag format by our tool. The issue with the property spdx:isDeprecatedLicenseId was introduced after converting it to RFD format. I resolved this by adding the excludeLicenseDetails parameter in the conversion command.

boravinod145 avatar Apr 30 '25 06:04 boravinod145