Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Converting from JSON to tag:value creates invalid SPDX #58

Open
vargenau opened this issue Jan 17, 2024 · 3 comments · May be fixed by #59
Open

Converting from JSON to tag:value creates invalid SPDX #58

vargenau opened this issue Jan 17, 2024 · 3 comments · May be fixed by #59

Comments

@vargenau
Copy link

bug.spdx.json.txt

bug.spdx.txt

We have a valid SPDX JSON file bug.spdx.json.

With tools-java we convert it to tag:value giving bug.spdx.

bug.spdx is invalid accoding to tools-python:

pyspdxtools -i bug.spdx
ERROR:root:There have been issues while parsing the provided document:
Element Package is not the current element in scope, probably the expected tag to start the element (PackageName) is missing. Line: 32

tools-java release 1.1.8
@goneall
Copy link
Member

goneall commented Jan 18, 2024
edited
Loading

After looking at the spec, this may actually be valid.

I didn't see anything in the spec that states the relationships must be in a specific position within the document.

Files that are contained within the package, on the other hand, must immediately follow the package they belong to.

That being said, from a readability point of view, it would be better to have the files analyzed flag before the relationships.

I'll create a PR to fix.

@goneall
Copy link
Member

goneall commented Jan 18, 2024

Transferring to the tag/value store which generates the tag/value files.

@goneall goneall transferred this issue from spdx/tools-java Jan 18, 2024
goneall added a commit that referenced this issue Jan 18, 2024
@goneall
Output files analyzed tag after relationships
8a18224 
Fixes #58

Signed-off-by: Gary O'Neall <[email protected]>
This was referenced Jan 18, 2024
Open
Open
@goneall
Copy link
Member

goneall commented Jan 18, 2024

Note that section 5.2.2 of the SPDX 2.3 spec states:

Annotations and relationships for the package may appear after the package information before any file information.

It doesn't use the word "shall", but this could be interpreted as a required ordering.

In either case, this is fixed with PR #59

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Output files analyzed tag after relationships spdx/spdx-java-tagvalue-store
2 participants
@vargenau @goneall