search

spdx / tools-java

SPDX Command Line Tools using the Spdx-Java-Library
Apache License 2.0
62 stars 37 forks source link

Improvement suggestion: list all validation errors at a time #164

Open rnjudge opened 3 months ago

rnjudge commented 3 months ago

The java tools only lists the first issue it comes across when there is a validation error, even if multiple issues exist. Suggest to list all the validation errors at once. The python tools validation lists all the errors at once. By listing all of the errors at once with the java tooling, SPDX users will have a more consistent user experience. Additionally, users know there are multiple issues up front instead of thinking there is only one error to fix.

When I validate an SBOM with multiple errors using the java tooling:

[rose@fedora]$ java -jar tools-java-1.1.8-jar-with-dependencies.jar Verify ~/scope-antilles-outdated-deps/spdx.json
This SPDX Document is not valid due to:
    Relationship error: Relationship error: Relationship error: Invalid license id 'CDDL-1.0-AND-GPL-2.0-only-AND-LicenseRef-Classpath-exception-2.0'.  Must start with 'LicenseRef-' and made up of the characters from the set 'a'-'z', 'A'-'Z', '0'-'9', '+', '_', '.', and '-'. in javax.annotation:javax.annotation-api in bazel in bazel in server in server in <sha checksum redacted>
    Relationship error: Relationship error: Relationship error: License not found for CDDL-1.0-AND-GPL-2.0-only-AND-LicenseRef-Classpath-exception-2.0 in javax.annotation:javax.annotation-api in bazel in bazel in server in server in <sha checksum redacted>

versus with the same document using python tooling:

[rose@fedora]$ pyspdxtools -i spdx.json 
ERROR:root:The document is invalid. The following issues have been found:
Unrecognized license reference: CDDL-1.0-AND-GPL-2.0-only-AND-LicenseRef-Classpath-exception-2.0. license_expression must only use IDs from the license list or extracted licensing info, but is: CDDL-1.0-AND-GPL-2.0-only-AND-LicenseRef-Classpath-exception-2.0
homepage must be a valid URL, but is:  https://github.com/KhronosGroup/Vulkan-headers
Unrecognized license reference: LicenseRef-Public-Domain. license_expression must only use IDs from the license list or extracted licensing info, but is: LicenseRef-Public-Domain
goneall commented 3 months ago

@rnjudge - the Java tools "should" collect all validation errors and report them all. I wonder if the difference you are seeing is due to the Python tools picking up an issue that the Java tools missed?

rnjudge commented 3 months ago

@goneall I don't think the difference is Python tools picking up an issue that java missed. I have seen this commonly with the Java tools where only one issue is listed at a time. Then, when I fix that issue in the SBOM a new error will be reported the next time I run the tool. I will try to find an SBOM I can give you that shows this behavior.

goneall commented 3 months ago

@rnjudge - if you find an example where you fix one error and another pops up, please attach. It could well be a bug. It should report all errors unless the parsing error is so severe the file parsing can not continue.