search

spdx / spdx-java-rdf-store

SPDX Tools RDF Support Library
Apache License 2.0
2 stars 3 forks source link

Tool identifies 0BSD as BSD #43

Closed GMishx closed 1 year ago

GMishx commented 1 year ago

I was using the tool to verify SPDX RDF reports generated by FOSSology. Where I noticed, the tool identifies 0BSD as BSD license.

$ java -jar tools-java-1.1.3-jar-with-dependencies.jar Verify SPDX2_30-seconds-of-code-master.tar.gz.spdx.rdf
WARNING: sun.reflect.Reflection.getCallerClass is not supported. This will impact performance.
This SPDX Document is not valid due to:
        Missing required license name in 30-seconds-of-code-master.tar.gz/30-seconds-of-code-master.tar/30-seconds-of-code-master.zip/30-seconds-of-code-master/.mdlrc.style.rb in 30-seconds-of-code-master.tar.gz
        Missing required license text for BSD in 30-seconds-of-code-master.tar.gz/30-seconds-of-code-master.tar/30-seconds-of-code-master.zip/30-seconds-of-code-master/.mdlrc.style.rb in 30-seconds-of-code-master.tar.gz

This causes tool to say the SPDX Document is not valid. I am attaching the file as .txt here to check.

SPDX2_30-seconds-of-code-master.tar.gz.spdx.rdf.txt

The license is used as a licenseConcluded in a <spdx:File>

<spdx:licenseConcluded>
  <spdx:ListedLicense rdf:about="http://spdx.org/licenses/0BSD">
    <spdx:name>BSD Zero Clause License</spdx:name>
    <spdx:licenseId>0BSD</spdx:licenseId>
    <spdx:licenseText><![CDATA[
Copyright (C) YEAR by AUTHOR EMAIL

Permission to use, copy, modify, and/or distribute this software for any purpose with or without fee is hereby granted.

THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
    ]]></spdx:licenseText>
    <rdfs:seeAlso>http://landley.net/toybox/license.html</rdfs:seeAlso>
  </spdx:ListedLicense>
</spdx:licenseConcluded>
goneall commented 1 year ago

Thanks @GMishx for reporting this.

I narrowed down the issue - for some reason, the Jena library is removing the preceding 0 in 0BSD when converting from a URI to a local name.

I'll transfer this issue over to the RDF library.

Turns out your timing is quite good - I'm just about to do a new release of the java tools and should be able to get in a fix or at least some kind of work around.

goneall commented 1 year ago

I found the issue - the Jena call implements the following function to get the local name - note that the local name cannot start with a digit:

    /**
     * Given an absolute URI, determine the split point between the namespace
     * part and the localname part. If there is no valid localname part then the
     * length of the string is returned. The algorithm tries to find the longest
     * NCName at the end of the uri, not immediately preceeded by the first
     * colon in the string.
     * <p>
     * This operation follows XML QName rules which are more complicated than
     * needed for Turtle and TriG.   For example, QName can't start with a digit.
     *
     * @param uri
     * @return the index of the first character of the localname
     * @see SplitIRI
     */
    public static int splitNamespaceXML(String uri) {