search

spdx / tools-java

SPDX Command Line Tools using the Spdx-Java-Library
Apache License 2.0
59 stars 34 forks source link

Error validating SPDX file #143

Closed vargenau closed 11 months ago

vargenau commented 11 months ago

Validating the following file: syft-container5.spdx.json.txt

gives the error:

Error converting: Error converting SPDX file: class org.spdx.library.model.DuplicateSpdxIdException ID LicenseRef-BSD-3-clause-generic already exists.

LicenseRef-BSD-3-clause-generic is found only once in the SPDX JSON file, so I do not understand the error.

goneall commented 11 months ago

@vargenau - line 137538 defines LicenseRef-BSD-3-clause-generic and line 137518 defines LicenseRef-BSD-3-clause-GENERIC.

Since it is very common for SPDX files to refer to the same ID's with different case, the parser compares the ID's without regard to case.

The in Annex D, the spec states that license ID's should be treated as case insensitive so this SPDX file would be invalid since it is defining the same ID twice.

vargenau commented 11 months ago

@goneall Hi Gary, Thank you for the explanation. I had done my grep case-sensitive.

So the bug is in Syft.

vargenau commented 2 months ago

@goneall Hi Gary, I tested again with java-tools 1.1.8 And now the code is valid with two identifiers LicenseRef-BSD-3-clause-generic and LicenseRef-BSD-3-clause-GENERIC that only differ by case. Has something changed in the code? Was that done on purpose?

lpanni commented 2 months ago

@vargenau Linking your other issue https://github.com/spdx/spdx-spec/issues/981

goneall commented 2 months ago

@goneall Hi Gary, I tested again with java-tools 1.1.8 And now the code is valid with two identifiers LicenseRef-BSD-3-clause-generic and LicenseRef-BSD-3-clause-GENERIC that only differ by case. Has something changed in the code? Was that done on purpose?

There were some changes in the library code that compares license text, but I didn't see anything that would explain this difference in behavior.