Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Questions about SBOM specifications for tag:value #1178

Closed
yakuri opened this issue Jan 23, 2025 · 2 comments
Closed

Questions about SBOM specifications for tag:value #1178

yakuri opened this issue Jan 23, 2025 · 2 comments
Labels
question Request for information or clarification

Comments

@yakuri
Copy link

yakuri commented Jan 23, 2025

Greetings, Let me ask a question about the SBOM specification for tag:value.
I received an SBOM described in SDPX v2.2 tag:value format.
test-sbom.spdx.txt

The SBOM described FilesAnalyzed under Relationships as follows.
Is this writing style correct as a tag:value specification?

Question Background: The VALIDATE results are different between tools-python and tools-java.

tools-python: VALIDATE failed
tools-java: VALIDATE success

## Package Information
PackageName: TestPackage1
SPDXID: SPDXRef-package-test1
PackageVersion: 1.0.0
PackageSupplier: NOASSERTION
PackageOriginator: Organization: test
PackageDownloadLocation: NOASSERTION
PackageLicenseConcluded: NOASSERTION
PackageLicenseDeclared: NOASSERTION
PackageCopyrightText: NOASSERTION
## Relationships
Relationship: SPDXRef-package-test1 DYNAMIC_LINK SPDXRef-package-test2
Relationship: SPDXRef-package-test1 DYNAMIC_LINK SPDXRef-package-test3
FilesAnalyzed: false

Sincerely,
@goneall
Copy link
Member

goneall commented Jan 24, 2025

from the Composition of and SPDX Document section, it looks like the properties in the package information should all precede the relationships section.

It looks like the SPDX python validator is correct and the SPDX Java tools should have flagged this as invalid.

@bact bact added the question Request for information or clarification label Jan 24, 2025
@yakuri
Copy link
Author

yakuri commented Jan 25, 2025

Hi, @goneall

Thanks for your reply.
I understood the above.

SPDX Java tools should have flagged this as invalid.

The above matter is being currently confirming at spdx/tools-java#182 .

@yakuri yakuri closed this as completed Jan 25, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Request for information or clarification
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bact @goneall @yakuri