tools-python icon indicating copy to clipboard operation
tools-python copied to clipboard
verified publisher icon spdx

SPDX tools current state for testing SPDX tag documents.

Open sei-vsarvepalli opened this issue 4 years ago • 3 comments

I am not sure if this tool is currently being developed and maintained. The online checking tool works okay for a sample SPDX file that I am using - the payload is as shown below.

## Document Header
SPDXVersion: SPDX-2.1
DataLicense: CC0-1.0
SPDXID: SPDXRef-DOCUMENT
DocumentName: SwiftBom-v1.8.0-2021-05-18
DocumentNamespace: https://sei.cmu.edu
Creator: Organization:    Software Engineering Institute
Created: 2021-05-18T20:43:00Z
CreatorComment: <text> SBOM-Demo tool to support NTIA SBOM healthcare PoC effort. Primary component is the all inclusive HTML file. </text>
## Packages
## 2.4 Primary Component (described by the SBOM)
PackageName: SwiftBom-v1.8.0
SPDXID: SPDXRef-SwiftBom-v1.8.0
PackageComment: <text>PURL is pkg:supplier/%20%20%20SEI/[email protected]</text>
ExternalRef: PACKAGE-MANAGER purl pkg:supplier/%20%20%20SEI/[email protected]
PackageVersion: 1.8.0
PackageSupplier: Organization:    SEI
PackageDownloadLocation: NOASSERTION
FilesAnalyzed: false
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION

On running a sample test using this git repo and the code below:

from spdx.parsers.tagvalue import Parser
from spdx.parsers.tagvaluebuilders import Builder
from spdx.parsers.loggers import StandardLogger
p = Parser(Builder(), StandardLogger())
p.build()
f=open("test.spdx","r")
q=f.read()
document, error = p.parse(q)

I get the following errors.

Package checksum must be instance of spdx.checksum.Algorithm
Package verif_code can not be None.
Package must have at least one file.
Package licenses_from_files can not be empty

As I understand the spec

  1. Package checksum is optional
  2. PackageVerificationCode is optional as well unless FileAnalyze is true
  3. The sample SPDX has no file per se as it is for a device with software
  4. The LicenseInfoInFile is also dependent on what License assertion is as I understand.

So it seems to be not quite working as expected. Can you clarify if there is something wrong with what is being attempted?

Thanks Vijay

sei-vsarvepalli avatar May 24 '21 19:05 sei-vsarvepalli

@sei-vsarvepalli The tool definitely needs love but is overall stable and used in production day all the times. What you are trying is not wrong, we just need to support it! Do you think you could help there? I can provide some guidance.

pombredanne avatar Jun 04 '21 13:06 pombredanne

Hello Philippe @pombredanne

Happy to help, let me know. I can follow your contributing guidelines and commit any updates.

Thanks Vijay

sei-vsarvepalli avatar Jun 04 '21 16:06 sei-vsarvepalli

Hi @sei-vsarvepalli! With the current state of the tool I couldn't reproduce your issue. So I think this is fixed and this issue can be closed.

meretp avatar Oct 19 '22 11:10 meretp

Closing this as it appears to be fixed.

nicoweidner avatar Nov 04 '22 08:11 nicoweidner