search

spdx / spdx-maven-plugin

Plugin for supporting SPDX in a Maven build.
Apache License 2.0
43 stars 26 forks source link

Unable to resolve parametric urls? #58

Closed justinabrahms closed 1 year ago

justinabrahms commented 1 year ago

I have this dependency:

pom.xml:      <groupId>uk.org.lidalia</groupId>
pom.xml:      <artifactId>slf4j-test</artifactId>
pom.xml:      <version>1.2.0</version>

but adding spdx into the build chain errors with the following error:

INFO] --- spdx-maven-plugin:0.6.1:createSPDX (build-spdx) @ sdk ---
[INFO] Creating SPDX File /Users/jabrahms/src/github.com/open-feature/javasdk/target/site/dev.openfeature_sdk-0.2.2.spdx.json
[WARNING] Unable to map maven licenses to a declared license.  Using NOASSERTION
[WARNING] Could not determine the SPDX relationship type for dependency artifact ID lombok scope provided
[ERROR] SPDX analysis error processing dependencies: http://projects.lidalia.org.uk/${project.artifactId} is not a valid URI
org.spdx.library.InvalidSPDXAnalysisException: http://projects.lidalia.org.uk/${project.artifactId} is not a valid URI
    at org.spdx.library.model.SpdxPackage.setHomepage (SpdxPackage.java:325)
    at org.spdx.maven.SpdxDependencyInformation.createSpdxPackage (SpdxDependencyInformation.java:431)
    at org.spdx.maven.SpdxDependencyInformation.createSpdxPackage (SpdxDependencyInformation.java:206)
    at org.spdx.maven.SpdxDependencyInformation.addMavenDependency (SpdxDependencyInformation.java:105)
    at org.spdx.maven.CreateSpdxMojo.getSpdxDependencyInformation (CreateSpdxMojo.java:561)
    at org.spdx.maven.CreateSpdxMojo.execute (CreateSpdxMojo.java:484)
    at org.apache.maven.plugin.DefaultBuildPluginManager.executeMojo (DefaultBuildPluginManager.java:137)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute2 (MojoExecutor.java:370)
    at org.apache.maven.lifecycle.internal.MojoExecutor.doExecute (MojoExecutor.java:351)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:215)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:171)
    at org.apache.maven.lifecycle.internal.MojoExecutor.execute (MojoExecutor.java:163)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:117)
    at org.apache.maven.lifecycle.internal.LifecycleModuleBuilder.buildProject (LifecycleModuleBuilder.java:81)
    at org.apache.maven.lifecycle.internal.builder.singlethreaded.SingleThreadedBuilder.build (SingleThreadedBuilder.java:56)
    at org.apache.maven.lifecycle.internal.LifecycleStarter.execute (LifecycleStarter.java:128)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:294)
    at org.apache.maven.DefaultMaven.doExecute (DefaultMaven.java:192)
    at org.apache.maven.DefaultMaven.execute (DefaultMaven.java:105)
    at org.apache.maven.cli.MavenCli.execute (MavenCli.java:960)
    at org.apache.maven.cli.MavenCli.doMain (MavenCli.java:293)
    at org.apache.maven.cli.MavenCli.main (MavenCli.java:196)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0 (Native Method)
    at jdk.internal.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:62)
    at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke (Method.java:566)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launchEnhanced (Launcher.java:282)
    at org.codehaus.plexus.classworlds.launcher.Launcher.launch (Launcher.java:225)
    at org.codehaus.plexus.classworlds.launcher.Launcher.mainWithExitCode (Launcher.java:406)
    at org.codehaus.plexus.classworlds.launcher.Launcher.main (Launcher.java:347)
goneall commented 1 year ago

@justinabrahms Thanks for submitting the issue. I'll look into this issue. I'm about to update the plugin with a new version of the SPDX library - I'll see if I can include a resolution of this issue before the release.

goneall commented 1 year ago

@justinabrahms I checked and the resolution of parameters is working in this plugin. The problem is the upstream POM file is using ${project.artifactId} which doesn't resolve to a value. Changing it to ${artifactId} works (at least in the version of Maven I'm using).

It shouldn't completely fail, however. I'll make an update which will just produce a warning if there is an invalid URL specified.

justinabrahms commented 1 year ago

Thanks, @goneall. When do you usually cut releases for the tool (so I can update my dependency and check in spdx sboms)?

goneall commented 1 year ago

When do you usually cut releases for the tool?

The next release should be within 2-3 days.

I typically create a new release within a month of any updates to the SPDX spec. I'll also create a new release if there are any serious issues or high security vulnerabilities which have been fixed.