Closed m-dhana closed 1 year ago
Thanks, @m-dhana, for the bug report!
Would you mind providing the SBOM you used? Or a stylized version of that SBOM? That would help in debugging this issue.
@jspeed-meyers - Unfortunately, I cannot give the SBOM. All, I say is the error message is getting displayed when the sbom files has this info
"files": [ { "fileName": "/a/b/c/d", "SPDXID": "SPDXRef-File-xyz", "checksums": [ { "algorithm": "SHA1", "checksumValue": "0000000000000000000000000000000000000000" } ], "licenseConcluded": "NOASSERTION", "copyrightText": "", "comment": "layerID: sha256:123" },
@m-dhana, understood. We'll do our best to debug :)
@m-dhana:
I did a little digging and this is what I provisionally found.
First, I changed line 194 in SPDXRdfExample-v2.3.spdx.rdf.xml
in tests/data/no_elements_missing
to:
<spdx:fileName>/etc/alternatives/README</spdx:fileName>
and when I ran the tool on it, I got the type of error you documented:
The provided document is not valid according to the SPDX specification. The following errors were found:
file name must not be an absolute path starting with "/", but is: /etc/alternatives/README
I then dug into the SPDX specification and found section 3.4 on "Package File Name," which says:
3.4.2 Intent: Here, the actual file name of the compressed file containing the package may be a significant technical element that needs to be included with each package identification information. If a grouping, like a set of files in a subdirectory, is being treated as a package, the subdirectory name may be appropriate to provide. Subdirectory name is preceeded with a “./”,
So I think the "bug" is not a bug from the perspective of the SPDX specification and the python-tools
implementation. (python-tools
is the awesome SPDX python library underlying `ntia-conformance-checker.) In other words, I think that if you add . "./" at the beginning of the files, then you will not receive an error. When I change the file name to ./etc/alternatives/README, I no longer get an error.
Does this make sense? Thoughts? If it's helpful, I can @ the relevant maintainers from spdx-tools
. Thank you, again, for the bug report~
@jspeed-meyers - Thank you for researching. Yes, as per this article https://spdx.dev/spdx-specification-21-web-version/#h.37m2jsg the file name should start with "./". I will make the changes needed. Closing this ticket.
ntia-checker fails for files under fileName must not be an absolute path
Failure message is file name must not be an absolute path starting with "/", but is: /etc/alternatives/README
Nta-checker version is - 0.5.0