-
Notifications
You must be signed in to change notification settings - Fork 587
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
license_info_in_file
is mandatory in SPDX-2.2
#2163
Comments
NOTE: "file name must not be an absolute path starting with "/", but is: /etc" is handled by issue: #2093 |
This error is not according to the spec:
This error is also not according to the spec:
|
Hi @kzantow - Thanks for looking at this. I realised that my reproduction instructions were not accurate as I had a syft.yaml file in the directory. I removed this file and updated the instructions in my original comment to include the environment variable Let me address your comments above also.
This is complaining about this section of the generated file:
This contains the following:
I believe this is not the same as "must be omitted" as it is explicitly set to an empty string. If I manually edit the json file and update it to read the following, that error disappears.
Actually, I could also remove (ie, omit) the key |
with respect to:
I think the above is for The section would be this:
The errors for this being:
I think the relevant specification section is: I think the issue is that "null" does not match the required cardinality of
as one is a directory "/etc" and the other one is "" (actually not sure what file that is matching?). But "NOASSERTION" is also good too if the tool does not check. |
About the
issue, I've filed an upstream PR to fix this: spdx/tools-golang#223 And you're right about the |
Thanks @kzantow . Will look forward to these changes. |
Putting this back to in progress since there isn't anything to review until the upstream PR is merged |
license_info_in_file
is mandatory in SPDX-2.2
What happened:
When I try to validate the spdx-2.2 json file using python-tools command
pyspdxtools
, it outputs a number of different issues one of them being for each File, it says thelicense_info_in_file is mandatory
.For example, it says the following for the /etc directory that is listed.
In the spdx file, it has:
What you expected to happen:
Using microsoft's
sbom-tool
, it has the following for each file which does validate:Steps to reproduce the issue:
There are other validation issues also... I guess I will write a bug for each one?
Anything else we need to know?:
If I manually edit the json and change the file entry fro null to the array with NOASSERTION, then that particular error goes away.
Environment:
syft version
:cat /etc/os-release
or similar):The text was updated successfully, but these errors were encountered: