search

spdx / tools-python

A Python library to parse, validate and create SPDX documents.
http://spdx.org
Apache License 2.0
187 stars 134 forks source link

ExternalPackageRefCategory problems #813

Open billie-alsup opened 3 months ago

billie-alsup commented 3 months ago

An internal tool is failing to validate SPDX files which use PACKAGE_MANAGER as an ExternalPackageRefCategory. Presumably PERSISTENT_ID would fail validation as well.

According to SPDX 2.2.2 spec, those underscores should be dashes, i.e. PACKAGE-MANAGER and PERSISTENT-ID.

Same is true in SPDX 2.3 spec

armintaenzertng commented 3 months ago

This is an old issue with the specification that regularly resurfaces, see for example here: https://github.com/spdx/spdx-spec/issues/792. The SPDX python tools support both versions (with dash or underscore) when parsing JSON/YAML/XML formats.

Do you have a specific issue with the python-tools?

billie-alsup commented 3 months ago

In my case, the internal tools are going by the spec which uses dashes, and so are rejecting the generated SPDX from this repository. Is there a version of the spec that uses underscores, or is this simply to accommodate other implementations? I don't have a problem with accepting both, but would hope we would generate using dashes to conform to the spec (unless I am simply misinformed and looking at the wrong spec!!). Currently, I have to run a filter over the generated SPDX to replace the underscores with dashes. Only then can I upload into our own database, otherwise it is rejected.