Converting from JSON to tag:value creates invalid SPDX

spdx / spdx-java-tagvalue-store

SPDX Document Storage using the Tag/Value format

Apache License 2.0

2 stars 1 forks source link

Converting from JSON to tag:value creates invalid SPDX #58

Open vargenau opened 10 months ago

vargenau commented 10 months ago

bug.spdx.json.txt

bug.spdx.txt

We have a valid SPDX JSON file bug.spdx.json.

With tools-java we convert it to tag:value giving bug.spdx.

bug.spdx is invalid accoding to tools-python:

pyspdxtools -i bug.spdx
ERROR:root:There have been issues while parsing the provided document:
Element Package is not the current element in scope, probably the expected tag to start the element (PackageName) is missing. Line: 32

tools-java release 1.1.8

goneall commented 10 months ago

~~After looking at the spec, this may actually be valid.~~

~~I didn't see anything in the spec that states the relationships must be in a specific position within the document.~~

~~Files that are contained within the package, on the other hand, must immediately follow the package they belong to.~~

~~That being said, from a readability point of view, it would be better to have the files analyzed flag before the relationships.~~

I'll create a PR to fix.

goneall commented 10 months ago

Transferring to the tag/value store which generates the tag/value files.

goneall commented 10 months ago

Note that section 5.2.2 of the SPDX 2.3 spec states:

Annotations and relationships for the package may appear after the package information before any file information.

It doesn't use the word "shall", but this could be interpreted as a required ordering.

In either case, this is fixed with PR #59