SoftwareDesignLab / SBOM-in-a-Box

SBOM-in-a-Box is a unified platform to promote the production, consumption, and utilization of Software Bills of Materials.
MIT License
9 stars 0 forks source link

resolveSchema() and resolveFormat() Improvements #280

Closed JorWo closed 1 year ago

JorWo commented 1 year ago

The SBOMFileServiceTest#merge_two_sboms() test was failing after I made improvements to the resolveFormat to check for a valid TagValue. I found that the SPDX TagValue SBOM generated from the merge test was invalid because it contained these lines:

CreatorComment: 1) null
2) null

The convention for multi-line values are to wrap it inside a <text></text>.

So in SPDX23TagValueSerializer#getDocumentInfo, I added code to check if a creatorComment or documentComment contained "null" as a string.

JorWo commented 1 year ago

I highly advise looking at isValidTagValue again and making sure it works with a wide set of SPDX files. Other than that, looks good.

I was also thinking of just using the SPDX23TagValueDeserializer.readFromString() method and seeing if an error would be thrown, but we would have to update that method to throw errors if a required field is missing. For now, I'll update the tests to try more SPDX files.