-
-
Notifications
You must be signed in to change notification settings - Fork 24
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ExternalRefCategory 'PACKAGE_MANAGER' is not compliant with SPDX 2.2 specification #267
Comments
Interesting is that it changed from 2.2 In 2.2.2, both values seem to be allowed: |
I picked the "development" instead of the release branches. The proper links would be: Only for 2.3 it seemed to be changed. Thus, I wonder whether |
Ah good catch! I raised an issue in the SPDX repo for clarification. |
I found some other information in spdx/spdx-spec#792 and spdx/spdx-spec#618. From what I understand both values should be supported but the way in the documentation is preferred. So when reading it should support both values, but when writing it should use the dash instead of the underscore. That would be a breaking change though, so maybe for now I can cook up a JSON converter that reads both dashes and underscores but writes underscores so not to break current behavior. Then for the next major release a change can be made to move from underscores to dashes. |
…ixes CycloneDX#267) Signed-off-by: Wessel Terpstra <wessel@wesselterpstra.com>
…ixes CycloneDX#267) Signed-off-by: Wessel Terpstra <wessel@wesselterpstra.com>
Note that this changes serialization of reference categories to use dashes instead of underscores [1]. Continue to accept underscores when deserializing for backward-compatibility, also see the discussion at [2]. Generally, deserialization of SPDX 2.2 is still supported. The diff of `spdx-schema.json` nicely resembles the code changes. Resolves #5445. [1]: https://github.com/spdx/spdx-spec/blob/v2.3/schemas/spdx-schema.json#L325 [2]: CycloneDX/cyclonedx-dotnet-library#267 Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
Note that this changes serialization of reference categories to use dashes instead of underscores [1]. Continue to accept underscores when deserializing for backward-compatibility, also see the discussion at [2]. Generally, deserialization of SPDX 2.2 is still supported. The diff of `spdx-schema.json` nicely resembles the code changes. Resolves #5445. [1]: https://github.com/spdx/spdx-spec/blob/v2.3/schemas/spdx-schema.json#L325 [2]: CycloneDX/cyclonedx-dotnet-library#267 Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
@wterpstra is there an update on this fix? |
According to the SPDX 2.2 specification the referenceCategory of an ExternalReference can be
SECURITY
,PACKAGE-MANAGER
,PERSISTENT-ID
orOTHER
.However, in the ExternalRefCategory enum it is
PACKAGE_MANAGER
which uses an underscore instead of a dash.cyclonedx-dotnet-library/src/CycloneDX.Spdx/Models/v2_2/ExternalRefCategory.cs
Lines 22 to 27 in 1e3886b
When trying to convert a valid SPDX SBOM it will result in this exception:
My current workaround is just string replacing
PACKAGE-MANAGER
toPACKAGE_MANAGER
before passing it to the cyclonedx-cli:cat manifest.spdx.json | sed 's/PACKAGE-MANAGER/PACKAGE_MANAGER/g' | ./cyclonedx-linux-x64 convert --input-format spdxjson --output-format json > cyclonedx.json
I'm happy to contribute a solution for this, but changing an enum field or its (de)serialization is breaking to the current behavior. Should the old behavior still be supported? What should be the default?
The text was updated successfully, but these errors were encountered: