TV SBOM with multiple packages not read correctly

[jblu42]

I have an SBOM that only contains packages, setting FilesAnalyzed to false this should be according to standard.

Looking at the SBOM examples from SPDX, this example4 causes the same problem when trying to be read by python library https://github.com/spdx/spdx-examples/blob/master/example4/spdx/example4-bin.spdx

Error output: spdx.parsers.builderexceptions.OrderError: File::SPDXID

Strange as this error should only be set, when there is a file entry

Trying to understand the error, it seems it is calling "p_spdx_id(self, p):" for the next package and as self.builder.doc_spdx_id_set is True and self.builder.package_spdx_id_set is True it is calling self.builder.set_file_spdx_id(self.document, value) causing this error.

Looks like it is not "closing" the package and assumes the next package is a file. If somebody with a deeper understanding of the code has some idea what the problem is, would be much appreciated.

[jblu42]

For reference, shortened example code from the repository here to read a file:

if __name__ == "__main__":
    import sys
    import codecs
    from spdx.parsers.tagvalue import Parser
    from spdx.parsers.loggers import StandardLogger
    from spdx.parsers.loggers import ErrorMessages
    from spdx.parsers.tagvaluebuilders import Builder

    source = sys.argv[1]
    p = Parser(Builder(), StandardLogger())
    p.build()
    with open(source, "r") as f:
        data = f.read()
        p.parse(data)
        document, error = p.parse(data)

[jblu42]

@nicoweidner : As you do seem to be very active here, may I ask to have a look at my problem, maybe just if this a larger thing to fix or point to the right direction (code)? This is one of the standard SPDX examples that fails to read.

[nicoweidner]

I am a bit caught up with other issues at the moment, but I will try to have a look (or alternatively pester someone else to have a look)!

[jblu42]

@nicoweidner : Thanks. If you feel pestered feel free to ignore my request, just contacted you because you seem to put some effort into this project :-)

[nicoweidner]

@jblu42 No, not at all! I am sorry if that came off the wrong way, I see that one could certainly read my comment in a not-so-nice way. What I meant was: I know some other people who will also work some more on this project and may try to delegate work to someone else if I realize I won't get to it soon :innocent:

I should try to keep humorous but potentially ambiguous remarks to a minimum :sweat_smile:

[meretp]

Hi @jblu42 ! I had a look at your problem and I think you are right. The problem could be solved by resetting the builder when a new package is created. I will work on this.

[jblu42]

@meretp Thanks, much appreciated.

[nicoweidner]

@jblu42 Should be fixed on main now (thanks @meretp !), feel free to try it out

[jblu42]

@nicoweidner : Already tried it, works like a charm. Could complete my python script I was working on with it, thanks!