search

spdx / spdx-java-jackson-store

JSON storage implementation for the SPDX tools
Apache License 2.0
3 stars 7 forks source link

Cannot deserialize XML files that contain a single relationship #62

Closed eduard-tita closed 1 year ago

eduard-tita commented 1 year ago

I'm having trouble deserializing SPDX 2.3 XML files that contain a single relationship. I always get an exception like: 

Exception in thread "main" org.spdx.library.InvalidSPDXAnalysisException: Relationships are expected to be in an array for type Relationship
    at org.spdx.jacksonstore.JacksonDeSerializer.restoreRelationships(JacksonDeSerializer.java:226)
    at org.spdx.jacksonstore.JacksonDeSerializer.storeDocument(JacksonDeSerializer.java:114)
    at org.spdx.jacksonstore.MultiFormatStore.deSerialize(MultiFormatStore.java:260)
    at org.example.XmlTest.main(XmlTest.java:54)

Here's a code fragment that can be used to replicate the issue:

    String xml =
        "<?xml version='1.0' encoding='UTF-8'?>\n" +
        "<Document>\n" +
        "  <SPDXID>SPDXRef-DOCUMENT</SPDXID>\n" +
        "  <spdxVersion>SPDX-2.3</spdxVersion>\n" +
        "  <creationInfo>\n" +
        "    <created>2023-07-13T19:00:03Z</created>\n" +
        "  </creationInfo>\n" +
        "  <documentNamespace>http://localhost:8070/ui/links/application/d250688de91244f2bdb44ba4f56c34fb/report/dbfb526ba560483dad0cfb17391e7f8d</documentNamespace>\n" +
        "  <packages>\n" +
        "    <SPDXID>SPDXRef-generic-sonatype-iq-application-Test-App-f39e9e5e7b73437aade319bc133488f4-dbfb526ba560483dad0cfb17391e7f8d</SPDXID>\n" +
        "    <externalRefs>\n" +
        "      <referenceCategory>PACKAGE-MANAGER</referenceCategory>\n" +
        "      <referenceLocator>pkg:generic/sonatype/iq_application_Test%20App%20f39e9e5e7b73437aade319bc133488f4@dbfb526ba560483dad0cfb17391e7f8d</referenceLocator>\n" +
        "      <referenceType>purl</referenceType>\n" +
        "    </externalRefs>\n" +
        "    <filesAnalyzed>false</filesAnalyzed>\n" +
        "    <licenseConcluded>NOASSERTION</licenseConcluded>\n" +
        "    <licenseDeclared>NOASSERTION</licenseDeclared>\n" +
        "    <name>sonatype:iq_application_Test App f39e9e5e7b73437aade319bc133488f4</name>\n" +
        "    <versionInfo>dbfb526ba560483dad0cfb17391e7f8d</versionInfo>\n" +
        "  </packages>\n" +
        "  <relationships>\n" +
        "    <spdxElementId>SPDXRef-DOCUMENT</spdxElementId>\n" +
        "    <relationshipType>DESCRIBES</relationshipType>\n" +
        "    <relatedSpdxElement>SPDXRef-generic-sonatype-iq-application-Test-App-f39e9e5e7b73437aade319bc133488f4-dbfb526ba560483dad0cfb17391e7f8d</relatedSpdxElement>\n" +
        "  </relationships>\n" +
        "</Document>\n";

    IModelStore modelStore = new InMemSpdxStore();
    MultiFormatStore multiFormatStore = new MultiFormatStore(modelStore, Format.XML, Verbose.COMPACT);
    try (InputStream in = new BufferedInputStream(new ByteArrayInputStream(xml.getBytes()))) {
      multiFormatStore.deSerialize(in, true);
    }

Is there anything I have to add/change to make it work? If I add another relationship element to the above, everything works fine. As far as I can tell the sample XML above is valid as per SPDX spec ver. 2.3.

Thank you.

goneall commented 1 year ago

@eduard-tita I agree the example looks valid. This looks like an issue with the deserialization code.

Rather than throwing an exception here, it should handle a single relationship.

eduard-tita commented 1 year ago

@eduard-tita I agree the example looks valid. This looks like an issue with the deserialization code.

Rather than throwing an exception here, it should handle a single relationship.

Thanks, @goneall. Something that's still a bit puzzling for me is that the same SPDX sample (i.e. single relationship) in JSON format works fine.

goneall commented 1 year ago

Something that's still a bit puzzling for me is that the same SPDX sample (i.e. single relationship) in JSON format works fine.

I'm not completely sure myself, but I believe it relates to how the Jackson libraries handle XML elements when deserializing. It is trying to map XML elements into either an array or a single object. In JSON, the syntax makes it clear it is an array while in XML it is ambiguous without the schema. This is a potential issue with other expected arrays where in XML it is represented by a single element.

eduard-tita commented 1 year ago

@goneall Is it possible to do a release that contains the above fix? Thanks

goneall commented 1 year ago

@eduard-tita - Will do - I'm a bit overcommitted with other tasks this week, but I should be able to spin a release this weekend or early next week.

goneall commented 1 year ago

@eduard-tita - Just did a new release - 1.1.7 - with this fix.

I have not done a new release of any of the utilities that use this library (e.g. tools-java) - let me know if I should spin a new release for those. Otherwise, I'll wait for additional fixes.

eduard-tita commented 1 year ago

Thanks a lot, @goneall. This will do for now.