sschuberth
commented
1 year ago However, it will not create an issue
Are you certain about that? This is what I tried for testing:
- Edit
plugins/package-managers/spdx/src/funTest/assets/projects/synthetic/inline-packages/project-xyz.spdx.ymlto end theSPDXIDin line 15 with an!. - Run
SpdxDocumentFileFunTest. - Observe a test failure with
issues:
- timestamp: "2023-07-04T09:07:53.008578087Z"
source: "SpdxDocumentFile"
message: "SpdxDocumentFile failed to resolve dependencies for path 'src/funTest/assets/projects/synthetic/inline-packages/project-xyz.spdx.yml':\
\ ValueInstantiationException: Cannot construct instance of `org.ossreviewtoolkit.utils.spdx.model.SpdxPackage`,\
\ problem: The SPDX ID 'SPDXRef-Package-xyz!' is only allowed to contain letters,\
\ numbers, '.', and '-'.
at [Source: (File); line: 26, column: 1] (through reference\
\ chain: org.ossreviewtoolkit.utils.spdx.model.SpdxDocument[\"packages\"]->java.util.ArrayList[0])
\
Caused by: IllegalArgumentException: The SPDX ID 'SPDXRef-Package-xyz!' is only\
\ allowed to contain letters, numbers, '.', and '-'."
severity: "ERROR"
hanna-modica
The following commit [1] will produce an error in the analyzer logs, if there is an spdx id that contains a forbidden character. However, it will not create an issue, therefore, the analyzer we run inside docker finishes with exit code 0 and in the scan report web app there is also no issue for this error. However, the dependency tree will be incomplete, but for a regular user it is hard to find out why. If possible, please make this error appear correctly in the scan report web app.
[1] https://github.com/oss-review-toolkit/ort/pull/7066/commits/015382f5645dedd55cd3c94d10ff175d4fa5198f