SSB-58: NPM - SPDX file validation failed in https://tools.spdx.org/app/validate/

[rynofinn]

Original Reporter: nvelagapudi Environment: Not Specified Version: Not Specified Migrated From: http://jira.linuxfoundation.org/browse/SSB-58

spdx-sbom-generator tool version v0.0.3Test Repos that I used for testinghttps://github.com/gothinkster/node-express-realworld-example-apphttps://github.com/node-red/node-redGenerate the SPDX file for the reposValidate the files in https://tools.spdx.org/app/validate/Observed that validation failed. PFA SPDX files for reference

[niruautomation]

@khalifapro I cloned the code from master on 14-06-2021, build the tool and verified the ticket.

Observed that warning is still displayed bom-npm.spdx.txt

[khalifapro]

This is a not standard from node-red as they use GitHub commit as version for jsdoc-nr-template package, it is an edge case how should we handle it ? should we keep package version empty ? @niravpatel27

[niruautomation]

Observed that observed that warning message is displayed when SPDX file validated in the SPDX validator Tool Version I cloned the code from master on 25-06-2021, build the tool OS Windows 10 NPM

1. https://github.com/nhantranleon/custom_auth bom-npm_custom_auth_25-Jun-2021.spdx.txt
2. https://github.com/node-red/node-red bom-npm_node-red_25-Jun-2021.spdx.txt
3. https://github.com/woocommerce/woocommerce bom-npm_woocommerce_25-Jun-2021.spdx.txt

YARN

1. https://github.com/boltpkg/bolt bom-yarn_bolt_25-Jun-2021.spdx.txt
2. https://github.com/gothinkster/node-express-realworld-example-app bom-yarn_node-express-realworld-example-app_25-Jun-2021.spdx.txt
3. https://github.com/xavdid/typed-install bom-yarn_typed-install_25-Jun-2021.spdx.txt

[khalifapro]

@niruautomation @niravpatel27 we still have the old warning because of package version is referring to GitHub commit.