search

interlynk-io / sbomasm

SBOM Assembler - A tool to compose your various sboms into a single sbom.
Apache License 2.0
40 stars 1 forks source link

sbomasm creates invalid SPDX #56

Open vargenau opened 5 days ago

vargenau commented 5 days ago

Get the 3 SPDX files from https://github.com/spdx/spdx-examples/tree/master/software/example6/spdx2.2

These 3 files are valid SPDX.

Do:

sbomasm assemble -n merge -v 1 -t application -o merge.spdx.json *.spdx

Result is invalid SPDX:

pyspdxtools -i merge.spdx.json 
ERROR:root:The document is invalid. The following issues have been found:
document_ref_id must only contain letters, numbers, ".", "-" and "+" and must begin with "DocumentRef-", but is: hello-go-src
document_ref_id must only contain letters, numbers, ".", "-" and "+" and must begin with "DocumentRef-", but is: go-lib
verification_code must be None if files_analyzed is False, but is: PackageVerificationCode(value='', excluded_files=[])
verification_code must be None if files_analyzed is False, but is: PackageVerificationCode(value='', excluded_files=[])
verification_code must be None if files_analyzed is False, but is: PackageVerificationCode(value='', excluded_files=[])
verification_code must be None if files_analyzed is False, but is: PackageVerificationCode(value='', excluded_files=[])
verification_code must be None if files_analyzed is False, but is: PackageVerificationCode(value='', excluded_files=[])
did not find the referenced spdx_id "SPDXRef-hello-go-binary" in the SPDX document
did not find the external document reference "DocumentRef-hello-go-src" in the SPDX document
did not find the referenced spdx_id "SPDXRef-hello-go-binary" in the SPDX document
did not find the external document reference "DocumentRef-hello-go-src" in the SPDX document
did not find the external document reference "DocumentRef-go-lib" in the SPDX document
did not find the external document reference "DocumentRef-go-lib" in the SPDX document
did not find the external document reference "DocumentRef-go-lib" in the SPDX document
did not find the external document reference "DocumentRef-go-lib" in the SPDX document
did not find the external document reference "DocumentRef-go-lib" in the SPDX document
did not find the referenced spdx_id "SPDXRef-Makefile" in the SPDX document
riteshnoronha commented 5 days ago

@vargenau thanks for reporting, let me check and get back to u