Running the tool provides not valid SPDX output

[JR-Carroll]

Following the various instructions to generate I am getting the following output:

The repo steps were:

1. Create a generic MacOS/Windows Desktop Application (not a mobile build)
2. On MacOS, install this sbom repo via dart pub global activate sbom
3. Inside the top-level of the repo, generate a sbom.yaml copying the contents from example in this repo
4. Now run sbom at the top repo where the sbom.yaml is found
5. Output file looks like the image above

A snippet of my pubspec.yaml file looks like this:

Additional Info: Dart Version Information

• Dart SDK version: 3.5.0 (stable) (Tue Jul 30 02:17:59 2024 -0700) on "macos_arm64"

Flutter Version Information:

• Flutter 3.24.0 • channel stable • https://github.com/flutter/flutter.git
• Framework • revision 80c2e84975 (3 weeks ago) • 2024-07-30 23:06:49 +0700
• Engine • revision b8800d88be
• Tools • Dart 3.5.0 • DevTools 2.37.2

[shamblett]

OK, I need your full pubspec.yaml and your sbom.yaml also a screenshot of your flutter project directory layout would be good or even better could you zip it up and post it or post a link to its repo say.

[JR-Carroll]

Unfortunately I cannot give you access as this is a closed-source client project that we just started. Hoping this is enough to help diagnose.

name: sampleproject
description: "A new Flutter project."
# The following line prevents the package from being accidentally published to
# pub.dev using `flutter pub publish`. This is preferred for private packages.
publish_to: 'none' # Remove this line if you wish to publish to pub.dev

# The following defines the version and build number for your application.
# A version number is three numbers separated by dots, like 1.2.43
# followed by an optional build number separated by a +.
# Both the version and the builder number may be overridden in flutter
# build by specifying --build-name and --build-number, respectively.
# In Android, build-name is used as versionName while build-number used as versionCode.
# Read more about Android versioning at https://developer.android.com/studio/publish/versioning
# In iOS, build-name is used as CFBundleShortVersionString while build-number is used as CFBundleVersion.
# Read more about iOS versioning at
# https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/CoreFoundationKeys.html
# In Windows, build-name is used as the major, minor, and patch parts
# of the product and file versions while build-number is used as the build suffix.
version: 1.0.1+1

environment:
  sdk: ^3.5.0

# Dependencies specify other packages that your package needs in order to work.
# To automatically upgrade your package dependencies to the latest versions
# consider running `flutter pub upgrade --major-versions`. Alternatively,
# dependencies can be manually updated by changing the version numbers below to
# the latest version available on pub.dev. To see which dependencies have newer
# versions available, run `flutter pub outdated`.
dependencies:
  flutter:
    sdk: flutter
  window_manager: ^0.4.2
  window_size:    
    git:
      url: https://github.com/google/flutter-desktop-embedding.git
      path: plugins/window_size
  flutter_colorpicker: ^1.1.0

  # The following adds the Cupertino Icons font to your application.
  # Use with the CupertinoIcons class for iOS style icons.
  cupertino_icons: ^1.0.8
  logger: ^2.4.0
  package_info_plus: ^8.0.2

dev_dependencies:
  flutter_test:
    sdk: flutter

  # The "flutter_lints" package below contains a set of recommended lints to
  # encourage good coding practices. The lint set provided by the package is
  # activated in the `analysis_options.yaml` file located at the root of your
  # package. See that file for information about deactivating specific lint
  # rules and activating additional ones.
  flutter_lints: ^4.0.0

# For information on the generic Dart part of this file, see the
# following page: https://dart.dev/tools/pub/pubspec

# The following section is specific to Flutter packages.
flutter:

  # The following line ensures that the Material Icons font is
  # included with your application, so that you can use the icons in
  # the material Icons class.
  uses-material-design: true

  # To add assets to your application, add an assets section, like this:
  assets:
    - assets/images/logo.png
    - assets/images/background_blueBubbles.png

  # An image asset can refer to one or more resolution-specific "variants", see
  # https://flutter.dev/to/resolution-aware-images

  # For details regarding adding assets from package dependencies, see
  # https://flutter.dev/to/asset-from-package

  # To add custom fonts to your application, add a fonts section here,
  # in this "flutter" section. Each entry in this list should have a
  # "family" key with the font family name, and a "fonts" key with a
  # list giving the asset and other descriptors for the font. For
  # example:
  # fonts:
  #   - family: Schyler
  #     fonts:
  #       - asset: fonts/Schyler-Regular.ttf
  #       - asset: fonts/Schyler-Italic.ttf
  #         style: italic
  #   - family: Trajan Pro
  #     fonts:
  #       - asset: fonts/TrajanPro.ttf
  #       - asset: fonts/TrajanPro_Bold.ttf
  #         weight: 700
  #
  # For details regarding fonts from package dependencies,
  # see https://flutter.dev/to/font-from-package

Here is the sbom.yaml file.

#
# An example of a mininmal sbom.yaml file for the generation of a tag value formatted SPDX SBOM
#

# Type is mandatory
type: spdx

# This is the generation control section for type specified and is mandatory.
spdx:
  # The output format must be supplied for an SPDX file.
  SPDXFormat: 'tagvalue'

[JR-Carroll]

Also, when I run SBOM this does appear, likely relevant, but uncertain of it's importance...

[shamblett]

Yes thanks I should have asked for this output. its just saying you have no LICENCE file in your project, doesn't stop anything working it just can't generate license info.

Presumably your .dart files are under the lib directory are they?

[JR-Carroll]

Correct.

[shamblett]

OK, I've tried running sbom on a flutter project of mine and its fine if I use an editor such as Kate say, if I substitute your pubspec and sbom yaml files its still fine. I'm on linux BTW.

If however I 'cat' it I get the same output you do,in fact if I 'cat' any of my already generated spdx files I get the same thing so this looks like a problem with the generation of these files when used with 'cat'.

I'll look at this, for now just view the files with any desktop editor. Note that the nano editor is OK but the joe and vim editors also suffer from what looks like a line ending problem.

[JR-Carroll]

oh how very interesting, I've never encountered a cat problem like this before. Good to know/good find.

Note that Nano also looks like it's suffering from some visual problems as well, but it does look better. See the image below where lines are joined with ^M (assuming ASCII/Unicode CR control char).

(FYI I am on *nix aka MacOS)

[shamblett]

OK, should be fixed now, should be correctly formatted on all platforms. Package re released vat version 2.1.0.

BTW if you ever need to verify the SPDX output go here and select 'tag/value' in the drop down then your SPDX file.