n8060:mutable not respected in GEN-14

[ajnelson-nist]

Describe the bug

GEN-14 requires every <File> in a SWID tag to provide a @size attribute. However, at times, files will be known to vary in deployments, typically due to being compiled as part of the installation process. To account for files that vary, the @n8060:mutable attribute was defined in NISTIR 8060. A varying file is likely to not have a @size known.

At one point, I thought that @n8060:mutable was respected in the GEN-14 test. However, in today's master branch (commit c5b7df1), a mutable file triggers a validation failure.

Who is the bug affecting?

Generators of SWID tags, typically primary SWID tags.

What is affected by this bug?

The validation process ignores necessary semantics.

When does this occur?

Any SWID tag <File ... n8060:mutable="true" /> lacking a @size will trigger this bug.

How do we replicate the issue?

1. Build swidval.
2. Run on this sample file:

   <?xml version="1.0"?>
   <SoftwareIdentity xmlns="http://standards.iso.org/iso/19770/-2/2015/schema.xsd" name="example-application" tagId="49b24923-93ef-46ce-a91d-41c1c045e878" tagVersion="1" version="0.0.1" versionScheme="multipartnumeric" xml:lang="en-us">
   <Entity name="National Institute of Standards and Technology" regid="nist.gov" role="softwareCreator tagCreator"/>
   <Evidence xmlns:n8060="http://csrc.nist.gov/ns/swid/2015-extensions/1.0" n8060:envVarPrefix="$" n8060:envVarSuffix="" n8060:pathSeparator="/">
   <Directory name="${python_purelib}">
     <File name="compiled_file.cpython-39.pyc" n8060:mutable="true"/>
   </Directory>
   </Evidence>
   </SoftwareIdentity>

3. Review validation-result.xml, especially the element at XPath base-requirement[@id="GEN-14"]/status. It contains FAIL, but should probably contain NOT_APPLICABLE.

Expected behavior (i.e. solution)

Validation should not fail.

Other Comments