-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ValidateDocument() fails for official SPDX Spec 2.2/2.3 examples #231
Comments
Hi @wallrat, You may have seen that I asked about this in the main SPDX 2.x spec repo, at spdx/spdx-spec#870. Based on the discussion there, it sounds like "validation" for purposes of SPDX tooling generally has looked only at the current SPDX Document, not at e.g. any other Documents that are referenced via an External Document Reference. So here, the SPDX 2.2/2.3 example documents reference an external Based on spdx/spdx-spec#870, it sounds like the presence of that external document and/or the For the Golang tools purposes, the developers could consider whether to e.g. allow different levels of validation -- perhaps a "strict" validation that actually checks every referenced Document, vs. a "default" validation that doesn't look into nested external Documents. |
As a tooling vendor1 building on top of SPDX, and multiple other formats, I'm mostly concerned with end-user expectations - which usually means to be very forgiving with what we accept and give sane feedback on bad input. With that in mind, we usually consider a few levels of 'validity':
What I would expect from a library is to cover 1 and 2. Looking at external resources is way too use-case dependent. From a developer perspective I would definitely expect (as a side note the Go library also fails to parse the XML/RDF example but at the XML layer. I will open a separate issue for that) Footnotes |
The following files from the spdx-spec repository fails to validate
https://github.com/spdx/spdx-spec/blob/development/v2.3.1/examples/SPDXJSONExample-v2.3.spdx.json
https://github.com/spdx/spdx-spec/blob/development/v2.3/examples/SPDXJSONExample-v2.2.spdx.json
(only tested the JSON versions sofar)
ValidateDocument() returns err
ToolsElement used in relationship but no such package exists
https://tools.spdx.org/app/validate/ (based on the Java lib?) validates both fine.
From the 2.3 BOM:
Not enough of an expert on the spec to determine who is in the wrong here. Shouldn't ValidateDocument() take external refs into account? It currently only checks for refs to packages, and files.
The text was updated successfully, but these errors were encountered: