NatalyaDalid
commented
2 years ago Hi @JoshWallaceBullish ,
We were able to address the issues you have referred to.
Please upgrade to the latest version.
Thanks, WhiteSource PR Team
Open JoshWallaceBullish opened 2 years ago
NatalyaDalid
commented
2 years ago Hi @JoshWallaceBullish ,
We were able to address the issues you have referred to.
Please upgrade to the latest version.
Thanks, WhiteSource PR Team
JoshWallaceBullish
commented
2 years ago Thanks. I tested it out this morning and I am still receiving validation errors. Beloiw is the latest sampling of errors. You'll notice there are not any errors for lines 1-5. For troubleshooting, I deleted the lines starting with :"sha1" and "files[]". The files array looks like it's always empty in my case and the Sha1 line is a duplicate of what is already contained within the "checksums" section, so this is likely duplicate info and doesn't conform to the spec.
This SPDX Document is not valid due to: object instance has properties which are not allowed by the schema: ["sha1"] for {"pointer":"/packages/6"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/7"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/8"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/9"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/10"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/11"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/12"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/13"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/14"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/15"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/16"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/17"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/18"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/19"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/20"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/21"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/22"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/23"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/24"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/25"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/26"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/27"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/28"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/29"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/30"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/31"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/32"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/33"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/34"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/35"} object instance has properties which are not allowed by the schema: ["files","sha1"] for {"pointer":"/packages/36"}
NatalyaDalid
commented
2 years ago Hey @JoshWallaceBullish, Thank you for your feedback.
Could you please share a bit more detail such as SPDX output format and the WS project name you are testing on? Also, are you testing with this validator? If there is any sensitive data you don't want to share in public, you can also contact us directly by email: ps@whitesourcsoftware.com
Thanks, WhiteSource PS Team
JoshWallaceBullish
commented
2 years ago I have tried using both the JSON and XML output files. I have tried to validate with the vendor product Cybeats SBOM Studio, through the spdx/tools package at https://github.com/spdx/tools, and the online version of the validator at https://tools.spdx.org/app/. Hopefully that helps!
NatalyaDalid
commented
2 years ago Hi @JoshWallaceBullish ,
I couldn't be able to reproduce that specific case. It will be helpful to share the WhiteSource Organization name and the WhiteSource product name that you are running on.
Meanwhile, try running the following release, and please let us know if it is working as expected.
pip install ws-sbom-generator==v0.5.2
Thank you, WhiteSource PS Team
JoshWallaceBullish
commented
2 years ago Hello, unfortunately, that did not solve the problem. I have a bi-weekly call with professional services next week. Would it be possible for you to join that call and we could discuss? Please feel free to reach out directly via email: josh.wallace@bullish.com and I would be happy to provide some additional details.
NatalyaDalid
commented
2 years ago Hello @JoshWallaceBullish ,
I'm sending you a private message.
chrisdecker1201
commented
1 year ago I think I've a related issue. I'm getting a SPDX from Mend with ws-sbom-generator==v23.1.1.3.
I need to append a package manually to this output and wants to use https://github.com/spdx/tools-python, but I can't parse the file.
Can you tell me why you using a https://github.com/whitesource-ps/tools-python fork from https://github.com/spdx/tools-python which is 155 commits behind?
Bug Description
The BOM files that are generated by the script do not appear to be valid according to the SPDX specification. I have tried multiple ways to validate the BOMs including running an SPDX validator manually and by trying to upload the SPDX file into a BOM management tool. I have been unsuccessful in getting the BOM to validate so that it can be consumed by other tooling. Can you please review and confirm that the BOMs generated by this utility conform to the SPDX specification?
Steps to Reproduce
Steps to reproduce the behavior:
Expected Behavior
Many tools are attempting to validate the BOM before they will allow the file to be consumed by their tooling. It is expected that the BOM generated by Whitesource will meet the SPDX specification and can be validated by common tools, such as the one linked in the reproduction steps.
Environment Details