Empty value for PackageVersion tag

[swinslow]

Summary

Looking at some samples from running v0.0.5 (e.g. from running spdx-sbom-generator on itself), it looks like for the "primary" Package, the PackageVersion: tag appears but with no content on the line after it.

It looks like this validates when testing it on the SPDX Online Tools validator, but I believe this is an error in the online tools. Any tag should have content following it.

Steps to reproduce

Running spdx-sbom-generator on itself, and reviewing the output

Expected behavior

A PackageVersion: should be filled in, or at least should not be empty. Ideally, this could be provided in a couple of ways, if it can't be automatically derived from the project being analyzed:

• via command-line flag, so the user can specify the version manually: e.g. -v v0.1.2
• or, if no version is provided and none can be automatically derived, then by using e.g. the latest commit hash, where the content being scanned is in a Git repo

Screenshots

See line 13 below:

Acceptance Criteria

A PackageVersion: line always has content following it, and is not an empty line

References

https://spdx.github.io/spdx-spec/3-package-information/#33-package-version

[dealako]

@swinslow - I assume this impacts the go module itself, so I will add the go label.