tools-python icon indicating copy to clipboard operation
tools-python copied to clipboard
verified publisher icon spdx

ExternalPackageRefCategory problems

Open billie-alsup opened this issue 1 year ago • 2 comments

An internal tool is failing to validate SPDX files which use PACKAGE_MANAGER as an ExternalPackageRefCategory. Presumably PERSISTENT_ID would fail validation as well.

According to SPDX 2.2.2 spec, those underscores should be dashes, i.e. PACKAGE-MANAGER and PERSISTENT-ID.

Same is true in SPDX 2.3 spec

billie-alsup avatar Jul 17 '24 01:07 billie-alsup

This is an old issue with the specification that regularly resurfaces, see for example here: https://github.com/spdx/spdx-spec/issues/792. The SPDX python tools support both versions (with dash or underscore) when parsing JSON/YAML/XML formats.

Do you have a specific issue with the python-tools?

armintaenzertng avatar Jul 26 '24 09:07 armintaenzertng

In my case, the internal tools are going by the spec which uses dashes, and so are rejecting the generated SPDX from this repository. Is there a version of the spec that uses underscores, or is this simply to accommodate other implementations? I don't have a problem with accepting both, but would hope we would generate using dashes to conform to the spec (unless I am simply misinformed and looking at the wrong spec!!). Currently, I have to run a filter over the generated SPDX to replace the underscores with dashes. Only then can I upload into our own database, otherwise it is rejected.

billie-alsup avatar Jul 26 '24 13:07 billie-alsup