Closed swinslow closed 10 months ago
If I remember correctly, when we discussed the external document references during the SPDX 2.0 spec development, we decided that we would not require access to the external documents - so the only thing we should validate is the format and syntax, not the actual reference itself.
We also decided not to include in the spec the actual location information for the external SPDX document. We only have an identifier, so it may not be possible to locate the external SPDX document to even validate.
Got it -- thanks @goneall!
Given that, it sounds like a validation program that encounters an External Document Reference and any identifiers that use a DocumentRef-
would essentially need to validate that the identifier format is correct; but would not need to confirm e.g. whether that document or those identifiers actually exist, in order to say that this current SPDX Document is valid.
I could imagine some tools deciding that they're going to have a "deeper" kind of validation, by confirming e.g. that every referenced Document actually exists and is present, and that all referenced identifiers exist in those Documents. But it doesn't sound like that's required for the general idea of "validation."
I'll go ahead and close this issue. Thanks @goneall!
(raised in connection with https://github.com/spdx/tools-golang/issues/231)
The SPDX 2.3 example documents include an external document reference
DocumentRef-spdx-tool-1.2
, with a relationship to a packageSPDXRef-ToolsElement
in that external document. Here's an example from the JSON document:https://github.com/spdx/spdx-spec/blob/8a595028b0386138c84f7188237787c374f6a6cf/examples/SPDXJSONExample-v2.3.spdx.json#L13-L20
https://github.com/spdx/spdx-spec/blob/8a595028b0386138c84f7188237787c374f6a6cf/examples/SPDXJSONExample-v2.3.spdx.json#L264-L268
The
DocumentRef-spdx-tool-1.2
document has a namespace specified, but the document is not available at that location (I am assuming that this is just an imaginary document to demonstrate external document refs).In the tools-golang repo, it was noted in https://github.com/spdx/tools-golang/issues/231 that attempts to validate the SPDX 2.3 example documents will fail, with an error stating that
ToolsElement
from this external document is used in a relationship but does not exist.This raises a question to which I don't know the answer: should "validation" of a Document include validating any external documents that it references?
If the answer is "yes", then perhaps there should also be a simple example
DocumentRef-spdx-tool-1.2
document in theexamples/
directory, so that tools that validate the entire external documents chain are able to do so. I'd be willing to volunteer to put together a very simple example SPDX 2.3 document like this, if that would be of value here.(Separately, there's of course the question about whether the Golang tools are working correctly even if the sample document were present. I don't know the answer to that, which I'll note in that separate issue.) :)