TagToRdf fails when no Package specified

[jonasob]

Release version 2.1.6 fails when trying to convert from Tag-based to Rdf via TagToRdf on an SPDX document which has no Package definition. The error message is:

Error creating SPDX Analysis: java.lang.IndexOutOfBoundsException: Index: 0, Size: 0

If running Verify on an SPDX file without a Package specification, it raises the following concern:

Unable to parse the file: File ../LICENSES.nonworking.spdx is not a recognized RDF/XML or tag/value format: [line: 1, col: 1 ] Content is not allowed in prolog.

I'm attaching the SPDX file which I feel should validate. If I introduce in this file a Package, plus a relation between the SPDXRef-DOCUMENT and SPDXRef-Package, I can get spdx-tools to be happy about it, but my interpretation of the specification is this should not be needed in v2.1.

LICENSE.nonworking.spdx.txt

[goneall]

Found the bug. Fix is in progress. @jonasob - would you like me to spin a release so that you can have a downloadable executable once the fix is available?

I also found one problem in the spdx document - when no package is available, a describes relationship is required between the SPDX document and the elements being describes (see section 2.1 describes relationship for details).

I fixed this in the attached SPDX document by adding one describes for every file in the analysis which I think is consistent wit your use case. LICENSE.working.spdx.txt

Note that the attached file will still cause an error without the fixed version of the tool.

[goneall]

Fixed in release 2.1.2