Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Inappropriate test data in invalid-license-id-count #303

Closed
tokcum opened this issue Sep 11, 2023 · 3 comments · Fixed by #305
Closed

Inappropriate test data in invalid-license-id-count #303

tokcum opened this issue Sep 11, 2023 · 3 comments · Fixed by #305
Labels
test-data related to test-resources and -data validated

Comments

@tokcum
Copy link
Contributor

tokcum commented Sep 11, 2023

Hi,

working on cyclonedx-rust-cargo, I'm experiencing that invalid-license-id-count test data unexpectedly fails validation.

The code of cyclonedx-rust-cargo does not yet check for doubly defined id in license. However, the corresponding validation test fails.

Let me explain by referring to an example in invalid-license-id-count-1.4.xml, see below. From the test data's file name and comment provided in the file, I understand that defining id twice is no longer valid. In fact, the test concludes that this BOM is invalid. However, this is not because of the doubly defined id but because of the invalid license identifier: Apache-2 is not a valid SPDX identifier.

This is expected to fail and it fails but due to the wrong reason:

<licenses>
                <license>
                    <id>Apache-2</id>
                    <!-- This was a defect in schema 1.0 and is no longer permitted -->
                    <id>Apache-2</id>
                </license>
</licenses>

After changing the id to a valid SPDX identifier, the test unexpectedly passes validation. Of course, to make this fail, I've to update cyclonedx-rust-cargo. However, the test data is inappropriate to conduct this test and needs to be refined.

<licenses>
                <license>
                    <id>Apache-2.0</id>
                    <!-- This was a defect in schema 1.0 and is no longer permitted -->
                    <id>Apache-2.0</id>
                </license>
</licenses>

I'll file a PR to fix this. However, I want to check for other occurrences of this issue within test data.
@tokcum
Copy link
Contributor Author

tokcum commented Sep 12, 2023

The following files are affected by this issue:

invalid-license-id-count-1.[1-5].xml

Fun fact: my IDE even points me in the right direction. When I fix the SPDX Identifier, it correctly states that a double id attribute is not allowed.

Screenshot_2023-09-12_09-42-34

@jkowalleck
Copy link
Member

jkowalleck commented Sep 12, 2023
edited
Loading

thanks for bringing this to our attention.

your report and solution sound reasonable. 👍
please pullrequest your desired solution.

@jkowalleck jkowalleck added the test-data related to test-resources and -data label Sep 12, 2023
@jkowalleck
Copy link
Member

jkowalleck commented Sep 12, 2023
edited
Loading

maybe use MIT as the SPDX license ID in the tests.
It is shorter and easier to remember, and it is less likely to be misspelled. 😅

@jkowalleck jkowalleck mentioned this issue Sep 12, 2023
Merged
jkowalleck pushed a commit that referenced this issue Sep 12, 2023
@tokcum
Fix test data regarding invalid SPDX license ID (#305)
fd4d383 

closes #303


Signed-off-by: tokcum <tobias.mucke@gmail.com>
jkowalleck pushed a commit to jkowalleck/fork_CycloneDX-specification that referenced this issue Sep 12, 2023
@tokcum @jkowalleck
Fix test data regarding invalid SPDX license ID (CycloneDX#305)
0b48361 

closes CycloneDX#303


Signed-off-by: tokcum <tobias.mucke@gmail.com>
jkowalleck added a commit to jkowalleck/fork_CycloneDX-specification that referenced this issue Sep 12, 2023
@jkowalleck
Fix test data regarding invalid SPDX license ID
723b63e 
forward-port of CycloneDX#305
fixes CycloneDX#303 in 1.6

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
@jkowalleck jkowalleck mentioned this issue Sep 12, 2023
Merged
jkowalleck added a commit that referenced this issue Sep 12, 2023
@jkowalleck
Fix test data regarding invalid SPDX license ID (#306)
f41eecc 
forward-port of #305
fixes #303 in 1.6
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
test-data related to test-resources and -data validated
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix test data regarding invalid SPDX license ID
2 participants
@jkowalleck @tokcum