Support for strict specification adherence with analysis

[surendrapathak]

This is to track the implementation of checking strict adherence to the specifications and reporting issues in an actionable format.

Examples:

1. https://sbombenchmark.dev/score/bom-v0.4.0_rails-5.0.0.1.spdx.tv , Issues tab: finds Creator tool without version.
2. https://sbombenchmark.dev/score/trivy-0.39.0_debian-bookworm-20230320-slim.spdx.tv, Issues tab: finds various Licenses in inaccurate format.
3. https://sbombenchmark.dev/score/bom-v0.4.0_debian-bookworm-20230320-slim.spdx.tv, Issues tab: package download location is incorrect.

Rules to check {WIP} SPDX

1. License expressions are valid as per SPDX license expression rules.
2. SPDXVersion is valid
3. SPDXData License is valid
4. Docnaamespace is a valid URL
5. ExternalDocRef is a valid reference
6. LicenseList follows Major/Minor versioning
7. LicenseID incorporates only valid set of characters
8. Creator is limited to Person/Organization and Tool
9. Timestamp is valid
10. SPDXID starts with SPDXRef and has valid characters
11. Package Provider (Supplier/Originator) is a valid Person/Organization string
12. Package Download Location is a valid URI

[viveksahu26]

Hi @surendrapathak , this has to be implemented under score command itself or other any separate command ?

[surendrapathak]

I recommend a new 'validate' command for ensuring adherence to spec. The command validates basic structure and then rules setup above.

[viveksahu26]

I recommend a new 'validate' command for ensuring adherence to spec. The command validates basic structure and then rules setup above.

@riteshnoronha your thoughts on this ?