Invalid tag:value SPDX file is valid according to tools-java

spdx / spdx-java-tagvalue-store

SPDX Document Storage using the Tag/Value format

Apache License 2.0

2 stars 1 forks source link

Invalid tag:value SPDX file is valid according to tools-java #57

Open vargenau opened 9 months ago

vargenau commented 9 months ago

bug.spdx.txt

File bug.spdx is invalid according to tools-python:

pyspdxtools -i bug.spdx
ERROR:root:There have been issues while parsing the provided document:
Element Package is not the current element in scope, probably the expected tag to start the element (PackageName) is missing. Line: 32

tools-java does not detect it as invalid

tools-java release 1.1.8

goneall commented 9 months ago

It looks like the FilesAnalyzed is after the Relationships which is invalid - agree this is a bug.

@vargenau Thanks for reporting it.

I'll transfer the issue to the tag/value parser project which does the parsing and validation.

goneall commented 9 months ago

~~After researching #58 I've come to the conclusion this is actually valid since the spec does not state what order the relationships and files analyzed flags should be in.~~

~~@vargenau - let me know if you agree. If so, it looks like this may be an issue for the tools-python library.~~

goneall commented 9 months ago

@vargenau - Never mind - I found the documentation that states the relationships information "may" follow the package information before the file information. It isn't very clear, but you could read this as the ordering is required.

I'll leave this open as a bug.