tools-python icon indicating copy to clipboard operation
tools-python copied to clipboard
verified publisher icon spdx

SPDX 2.3 tagvalue parser cannot parse documents with erroneous SHA256 ExternalDocumentRef checksums

Open richardmaw-codethink opened this issue 3 months ago • 0 comments

I've been writing some python tooling that consumes SPDX documents from various sources.

Some of which use https://github.com/swinslow/cmake-spdx which unfortunately has the open issue https://github.com/swinslow/cmake-spdx/issues/8 that it generates documents with SHA256 hashes for ExternalDocumentRef due to confusion in the spec and the regex at https://github.com/spdx/tools-python/blob/b7f9a3defe8b0af1414cd75f1447ec242428f1d0/src/spdx_tools/spdx/parser/tagvalue/parser.py#L288 only handles SHA1.

"That's invalid, WONTFIX" is a fair resolution, but searching ExternalDocumentRef and SHA256 didn't find an existing issue so I thought it worth raising.

It may be as simple as extending the regex to the full set supported, but I can't predict if I'll have time to attempt a fix myself and it'd be helpful to know whether the fix would be accepted.

richardmaw-codethink avatar Sep 24 '25 14:09 richardmaw-codethink