search

interlynk-io / sbomqs

SBOM quality score - Quality metrics for your sboms
Apache License 2.0
185 stars 21 forks source link

SPDX Version always return SPDX-2.3 #349

Closed warpkwd closed 1 day ago

warpkwd commented 1 week ago

SPDX Version always return SPDX-2.3. But, Is this the correct specification?

$ sbomqs compliance -c SPDXJSONExample-v2.2.spdx.json
BSI TR-03183-2 v1.1 Compliance Report
Compliance score by Interlynk Score:4.5 RequiredScore:5.3 OptionalScore:3.8 for SPDXJSONExample-v2.2.spdx.json
* indicates optional fields
+----------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------+-------+
|      ELEMENTID       | SECTION |           DATAFIELD            |                                                ELEMENT RESULT                                                | SCORE |
+----------------------+---------+--------------------------------+--------------------------------------------------------------------------------------------------------------+-------+
| SBOM                 |       4 | specification                  | spdx                                                                                                         |  10.0 |
+                      +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------+-------+
|                      |       4 | specification version          | SPDX-2.3                                                                                                     |  10.0 |
+                      +---------+--------------------------------+--------------------------------------------------------------------------------------------------------------+-------+

SPDXJSONExample-v2.2.spdx.json is:

{
  "SPDXID" : "SPDXRef-DOCUMENT",
  "spdxVersion" : "SPDX-2.2",
  "creationInfo" : {
    "comment" : "This package has been shipped in source and binary form.\nThe binaries were created with gcc 4.5.1 and expect to link to\ncompatible system run time libraries.",
    "created" : "2010-01-29T18:30:22Z",
    "creators" : [ "Tool: LicenseFind-1.0", "Organization: ExampleCodeInspect ()", "Person: Jane Doe ()" ],
    "licenseListVersion" : "3.9"
  },

I think this is because of the following code:

https://github.com/spdx/tools-golang/blob/main/spdx/model.go

// Package spdx contains references to the latest spdx version
package spdx

import (
    "github.com/spdx/tools-golang/spdx/v2/common"
    latest "github.com/spdx/tools-golang/spdx/v2/v2_3"
)

const (
    Version     = latest.Version
    DataLicense = latest.DataLicense
)
viveksahu26 commented 1 week ago

Thanks for pointing out. The o/p must be according to what user provided. It should be SPDX-2.2 instead of SPDX-2.3. And whereas coming to the score, it could vary depending on the standard set. For instance, that could be if version is greater than or equal to 2.3, then score it as 10.0 or zero, kind of.

Thanks @warpkwd for raising this issue, it's a bug and will fix it out !!

viveksahu26 commented 6 days ago

This is an upstream issue. Because the value itself of s.doc.SPDXVersion returns SPDX-2.3, which means spdx_json is parsing document incorrectly, d, err = spdx_json.Read(f).

        var d *spdx.Document
    switch format {
    case FileFormatJSON:
        d, err = spdx_json.Read(f)
    case FileFormatTagValue:
        d, err = spdx_tv.Read(f)
    case FileFormatYAML:
        d, err = spdx_yaml.Read(f)
    case FileFormatRDF:
        d, err = spdx_rdf.Read(f)
    default:
        err = fmt.Errorf("unsupported spdx format %s", string(format))
    }

Where, spdx_json is github.com/spdx/tools-golang/json

viveksahu26 commented 6 days ago

And the problem with spdx_tv "github.com/spdx/tools-golang/tagvalue" too.

viveksahu26 commented 6 days ago

I have reproduce the issue for tools-golang/json and tools-golang/tagvalue here.

warpkwd commented 5 days ago

Thank you.

viveksahu26 commented 5 days ago

Concluding the response: https://github.com/spdx/tools-golang/issues/248#issuecomment-2462434308

Hey @warpkwd, The tools-golang library is designed to convert all SPDX documents to the latest supported version (currently 2.3), even if the input file specifies an older version (such as 2.2). This approach simplifies handling multiple SPDX versions by standardizing them to a single format, avoiding the need to write separate code for each version.

viveksahu26 commented 3 days ago

@riteshnoronha should we conclude with a NOTE: spdx version with 2.1, 2.2, 2.3 will be converted to 2.3(or latest, in future it will be 3.0) as per designed in the tools-golang library.

viveksahu26 commented 1 day ago

@warpkwd , this will be fixed in next release.