Closed vargenau closed 11 months ago
@vargenau - line 137538 defines LicenseRef-BSD-3-clause-generic
and line 137518 defines LicenseRef-BSD-3-clause-GENERIC
.
Since it is very common for SPDX files to refer to the same ID's with different case, the parser compares the ID's without regard to case.
The in Annex D, the spec states that license ID's should be treated as case insensitive so this SPDX file would be invalid since it is defining the same ID twice.
@goneall Hi Gary, Thank you for the explanation. I had done my grep case-sensitive.
So the bug is in Syft.
@goneall
Hi Gary,
I tested again with java-tools 1.1.8
And now the code is valid with two identifiers LicenseRef-BSD-3-clause-generic
and LicenseRef-BSD-3-clause-GENERIC
that only differ by case.
Has something changed in the code? Was that done on purpose?
@vargenau Linking your other issue https://github.com/spdx/spdx-spec/issues/981
@goneall Hi Gary, I tested again with java-tools 1.1.8 And now the code is valid with two identifiers
LicenseRef-BSD-3-clause-generic
andLicenseRef-BSD-3-clause-GENERIC
that only differ by case. Has something changed in the code? Was that done on purpose?
There were some changes in the library code that compares license text, but I didn't see anything that would explain this difference in behavior.
Validating the following file: syft-container5.spdx.json.txt
gives the error:
LicenseRef-BSD-3-clause-generic
is found only once in the SPDX JSON file, so I do not understand the error.