search

spdx / tools-python

A Python library to parse, validate and create SPDX documents.
http://spdx.org
Apache License 2.0
180 stars 133 forks source link

SPDX3 validation failing on CreationInfo #760

Open mrybczyn opened 1 year ago

mrybczyn commented 1 year ago

I'm facing multiple issues with validating SPDX3 files using spdx-tools python version 0.8.1, all related to CreationInfo. I convert them based on spdx_tools.spdx3.bump_from_spdx2.spdx_document. The results is like:

  "@graph": [
    {
      "@type": "Tool",
      "@id": "http://spdx.org/spdxdoc/base-files-ee9424e3-1d7e-5739-b9cd-237a1a6f843f#SPDXRef-Actor-OpenEmbeddedCorecreate-spdx.bbclass",
      "creationInfo": {
        "@type": "CreationInfo",
        "specVersion": "3.0.0",
        "created": "2023-09-08T14:44:06Z",
        "createdBy": [
          "http://spdx.org/spdxdoc/base-files-ee9424e3-1d7e-5739-b9cd-237a1a6f843f#SPDXRef-Actor-OpenEmbedded",
          "http://spdx.org/spdxdoc/base-files-ee9424e3-1d7e-5739-b9cd-237a1a6f843f#SPDXRef-Actor-N/A"
        ],
        "profile": [
          "core",
          "software",
          "licensing"
        ],
        "dataLicense": "https://spdx.org/licenses/CC0-1.0",
        "createdUsing": [
          "http://spdx.org/spdxdoc/base-files-ee9424e3-1d7e-5739-b9cd-237a1a6f843f#SPDXRef-Actor-OpenEmbeddedCorecreate-spdx.bbclass"
        ]
      },
      "name": "OpenEmbedded Core create-spdx.bbclass"
    },
[...]

However, the validation run gives:

spdx_tools.spdx.parser.error.SPDXParsingError: ["Error while parsing document None: ['CreationInfo does not exist.']"]

For information, none of the example files from the model (https://github.com/spdx/spdx-3-model/tree/main/serialization/json_ld) validates, but this is likely expected, taking into account changes in the model.

What path do you recommend to resolve? Fix the file according to the older model or update the module for the new CreationInfo syntax?

armintaenzertng commented 1 year ago

Hi @mrybczyn, thanks for your interest in the python-tools! :) The problem you encounter is due to the parser only working for SPDX versions 2.2 and 2.3. This library currently only supports writing of SPDX-3.0 documents, but not parsing. There is a proof of concept I did a while ago, which can be found here, but this is very likely outdated by now as the SPDX3 model is still in development.

If you'd like to contribute to this library, please feel free to put up a PR that implements parsing for SPDX-3.0. :)

alper commented 3 months ago

I have a similar issue but my Github provided document says it's 2.3:

"spdxVersion": "SPDX-2.3",
    "creationInfo": {