search

spdx / spdx-spec

The SPDX specification in MarkDown and HTML formats.
https://spdx.github.io/spdx-spec/
Other
288 stars 140 forks source link

Validation challenges where examples contain external document ref #870

Closed swinslow closed 10 months ago

swinslow commented 10 months ago

(raised in connection with https://github.com/spdx/tools-golang/issues/231)

The SPDX 2.3 example documents include an external document reference DocumentRef-spdx-tool-1.2, with a relationship to a package SPDXRef-ToolsElement in that external document. Here's an example from the JSON document:

https://github.com/spdx/spdx-spec/blob/8a595028b0386138c84f7188237787c374f6a6cf/examples/SPDXJSONExample-v2.3.spdx.json#L13-L20

https://github.com/spdx/spdx-spec/blob/8a595028b0386138c84f7188237787c374f6a6cf/examples/SPDXJSONExample-v2.3.spdx.json#L264-L268

The DocumentRef-spdx-tool-1.2 document has a namespace specified, but the document is not available at that location (I am assuming that this is just an imaginary document to demonstrate external document refs).

In the tools-golang repo, it was noted in https://github.com/spdx/tools-golang/issues/231 that attempts to validate the SPDX 2.3 example documents will fail, with an error stating that ToolsElement from this external document is used in a relationship but does not exist.

This raises a question to which I don't know the answer: should "validation" of a Document include validating any external documents that it references?

If the answer is "yes", then perhaps there should also be a simple example DocumentRef-spdx-tool-1.2 document in the examples/ directory, so that tools that validate the entire external documents chain are able to do so. I'd be willing to volunteer to put together a very simple example SPDX 2.3 document like this, if that would be of value here.

(Separately, there's of course the question about whether the Golang tools are working correctly even if the sample document were present. I don't know the answer to that, which I'll note in that separate issue.) :)

goneall commented 10 months ago

If I remember correctly, when we discussed the external document references during the SPDX 2.0 spec development, we decided that we would not require access to the external documents - so the only thing we should validate is the format and syntax, not the actual reference itself.

We also decided not to include in the spec the actual location information for the external SPDX document. We only have an identifier, so it may not be possible to locate the external SPDX document to even validate.

swinslow commented 10 months ago

Got it -- thanks @goneall!

Given that, it sounds like a validation program that encounters an External Document Reference and any identifiers that use a DocumentRef- would essentially need to validate that the identifier format is correct; but would not need to confirm e.g. whether that document or those identifiers actually exist, in order to say that this current SPDX Document is valid.

I could imagine some tools deciding that they're going to have a "deeper" kind of validation, by confirming e.g. that every referenced Document actually exists and is present, and that all referenced identifiers exist in those Documents. But it doesn't sound like that's required for the general idea of "validation."

I'll go ahead and close this issue. Thanks @goneall!