How to convert from SPDX 2 to SPDX 3

[vargenau]

@goneall
The Java tools version 2 have the capability to convert from SPDX 2 to SPDX 3.
This is documented at: https://spdx.github.io/Spdx-Java-Library/org/spdx/library/conversion/Spdx2to3Converter.html

But I would like to do it in the command line, not in a Java program.

I used to do something like:

java -jar tools-java-1.1.8-jar-with-dependencies.jar Convert hello.spdx hello.spdx.json

convert from SPDX 2 tag:value to SPDX 2 JSON.

I would have expected that

java -jar tools-java-2.0.0-Alpha-jar-with-dependencies.jar Convert hello.spdx hello.spdx.json

would convert my SPDX 2 tag:value to SPDX 3, but that still converts to SPDX 2 JSON.

Is there a way to convert SPDX 2 to SPDX 3 on the command line?

[goneall]

@vargenau - you can use the file extension .jsonld.json or jsonld and it will convert it to 3.0. Alternatively, you can add the options for the from and to file types:

java -jar tools-java-2.0.0-Alpha-jar-with-dependencies.jar Convert hello.spdx hello.spdx.json TAG JSONLD

[vargenau]

Thank you very much @goneall for your answer.

I have created a pull request #171 to add it to the README file.

[vargenau]

The conversion works, but I have many warnings.

[main] WARN org.spdx.library.model.v2.SpdxElement - No creation info for document Optional[hello]
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
[main] WARN org.spdx.storage.listedlicense.SpdxListedLicenseModelStore - SPDX listed license URL was used instead of the required namespace ('https:' rather than 'http:'
sept. 30, 2024 4:11:43 PM net.jimblackler.jsonschemafriend.Schema <init>
AVERTISSEMENT: No match for #/$defs/ElementCollection
sept. 30, 2024 4:11:43 PM net.jimblackler.jsonschemafriend.Schema <init>
AVERTISSEMENT: No match for #/$defs/security_VexVulnAssessmentRelationship
sept. 30, 2024 4:11:43 PM net.jimblackler.jsonschemafriend.Schema <init>
AVERTISSEMENT: No match for #/$defs/security_VulnAssessmentRelationship
sept. 30, 2024 4:11:43 PM net.jimblackler.jsonschemafriend.Schema <init>
AVERTISSEMENT: No match for #/$defs/software_SoftwareArtifact

[goneall]

@vargenau - I took a look at the code and the warnings above.

The schema related warnings are due to issues with the SPDX spec generated schema file which has been resolved with 3.0.1 - as soon as I update the tools, these should go away.

I wasn't able to duplicate the other warnings - if you can attach the SPDX V2.3 file you used as input, I can take a look.

[vargenau]

Hi @goneall
Thank you for having a look at my warnings.
Input file is here:
https://github.com/OpenChain-Project/Telco-WG/blob/main/tools/openchain_telco_sbom_validator/open-source-compliance-artifacts/openchain-telco-sbom-validator-0.1.6.spdx

[goneall]

@vargenau - I was able to duplicate the warnings on the 2.0.0-Alpha version. It looks like all of these are fixed with the released 3.0.1 schema and a few related fixes. Hope to get a new release out soon after we finalize the 3.0.1 spec release.

[vargenau]

Thank you @goneall