goneall
commented
1 year ago @rnjudge I just tested the attached file which has both a PACKAGE-MANAGER and a PACKAGE_MANAGER with the current (as of 12/4/2022) online tools and it passes validation.
It looks like the online tools version is more recent than when this problem was experienced (current 1.0.7 vs the reported 1.0.9) so this issue has probably been resolved.
If anyone is still experiencing the problem with the online tool, please check the version - if it is not version 1.0.9, add a new issue. Note that @rjb4standards reported issue #278 which seems to indicate an older version of the online tools used. I'm wondering if there is some issue in the deployment where some of the worker threads are accessing an older version of the tools. I'm not sure how that could be possible, but if we two people seeing older versions, it is something we should look into. It is also possible that there is a browser caching issue causing the problem. testpkgmgr.json.txt
It was decided to use PACKAGE_MANAGER in the SPDX spec in change #618. But, in a July commit, the spec changed from PACKAGE_MANAGER to PACKAGE-MANAGER. This raised a discussion about that change in https://github.com/spdx/spdx-spec/issues/792. The conclusion was to support both formats in https://github.com/spdx/spdx-spec/pull/793.
But, it doesn’t look like version 1.0.7 of the SPDX validation tool has been updated to support both ‘PACKAGE_MANAGER’ / ‘PACKAGE-MANAGER’ and ‘PERSISTENT-ID' / 'PERSISTENT_ID’.
So, our SBOMs are meeting the SPDX standard but not passing the validation tool at https://tools.spdx.org/app/validate.
After we manually substituted PACKAGE-MANAGER for PACKAGE_MANAGER in the JSON encoded SPDX file, then it passes the validation. It should validate both PACKAGE_MANAGER and PACKAGE-MANAGER for external references.