Ability to output to JSON

[amithkk]

This pull request adds support for creating JSON SPDX SBOMs (thereby resolving #117 if merged)

This is achieved by

• Making the formatter/renderer modular (now implemented by a go interface)
• Passing down the -f argument to the renderer so that it can use the appropriate implementation
• Updating the Document and Package structs (which are now annotated as per the official JSON spec/example) to better resemble the structure specified by the SPDX spec
• Updating the filename resolution logic to take into consideration the format passed down by the user

Additionally, this pull request also completes the todo item of reimplementing the tag-value format (.spdx) renderer as a go template.

[seabass-labrax]

@amithkk, thank you for this pull request and welcome to SPDX! :)

We have a conference call meeting on Tuesday if you'd like to join - it's at 16:00 UTC; all the details are at https://wiki.spdx.org/view/Technical_Team. I'm sure everyone would love to see your contribution!

[seabass-labrax]

It seems as if the generated JSON may contain duplicate SPDX Elements. Running the command on this repository, there are multiple definitions of SPDXRef-Package-golang.org.x.sys-v0.0.0-20200302150141-5c8b2ff67527 for instance (see attached file sbom.txt).

[amithkk]

@seabass-labrax Thank you for the warm welcome 😄

Nice catch! That was caused by subpackages also being added to the document's packages array. I've updated the pull request to address that and the typo in the json tags.

Will try to join the technical meeting

[seabass-labrax]

Brilliant! There are just two things to change and then this should generate schema-valid SPDX JSON documents :)

1. namespace on the Document Information section needs to be changed to documentNamespace for the JSON output (but not for the tag/value output)
2. packages should have filesAnalyzed set to "False" since their individual files are not hashed for the PVC (Package Verification Code)

Your idea of using a template for generating the tag/value data is really nice too; it might be worth rebasing the commits to make this change more visible to other developers.

Looking forward to hearing from you at today's meeting if you can make it :)

[amithkk]

@seabass-labrax Thanks for the review! Addressed those comments in my previous commit. I've also updated the checksums[] array to appropriately render and have also validated the resulting SBOM against a JSONSchema validator to double check.

[seabass-labrax]

@niravpatel27, would you be able to merge this please? Thanks :)

[niravpatel27]

@seabass-labrax sorry everyone, I got really busy on something and missed this one. I will be on it.

[amithkk]

I've updated the branch to add the missing license identifiers for the two new code files

[amithkk]

Hi @niravpatel27, hope you are doing well 😄 - any updates on this?