ORT reports error, if copyrightText in SPDX Document is empty #7222
Comments
|
So, this is about reading SPDX files generated by another party via the If I'm reading your request right, you say that ORT should not complain about The specs over here are also not super clear about how to deal with blank strings, but given that the field description says "Any text related to a copyright notice, even if not complete" I'd personally say that a blank string is not related to a copyright notice, and it's also not an incomplete copyright notice (but simply no copyright notice at all). TL;DR, in my opinion the above SPDX example is invalid according to the specs, and ORT rightfully refuses to parse it. Unfortunately, https://tools.spdx.org/ is currently down so I cannot easily run the validator on it. |
|
However, I believe #7224 is a correct thing to do. |
Moreover, the semantics of a blank |
sschuberth
added
needs info
Yes, that is correct. I have provided your answer to the user who raised this issue with us and will get back to you. |
|
Hey @sschuberth @hanna-modica, I raised this issue and I totally agree that this is definitely not clear in any documentation. I just ran our spdx.json with these entries trough the validator and it says it is valid. I'm definitely no expert in spdx and don't know what exactly is validated there or which version is taken into account... But since everybody and every tool generating spdx can have different interpretations and ORT I guess wants to be a general analyzer, I would like to see ORT handling everything gracefully. I personally would vote for an empty string being the same as if the field is not present and therefore means NOASSERTION. This would, at least in our case, also fit the values for "licenseConcluded" and could also fit the description of NOASSERTION
(https://spdx.github.io/spdx-spec/v2.3/file-information/#88-copyright-text-field) So an empty string means the creator intentionally did not specify this. But again there is plenty of room for different interpretations... Would there even be a difference between NONE and NOASSERTION for the copyrightText? I thought the license is more important. In version 2.3 the copyrightText is even not mandatory anymore... |
Actually, to me an important aspect of ORT also is to enforce best practices and standards. Sure, we could be lenient when reading and strict when writing, but that probably does not help much to question ambiguous SPDX documents that are in the wild, in order to bubble up to the tools that created them and fix these.
I believe you, like @hanna-modica, are mixing up the cases where
Yes: To me the question boils down to: Why risk that something could be misinterpreted by using unspecified values? Instead, as an SPDX document author I'd simply play safe and avoid empty / blank strings being written for |
I would expect the SPDX community to enforce best practices and standards. At the end ORT and all other tools are just users of SPDX and as already mentioned can have different interpretations of unclear statements.
You are totally right that it is the same case for licenseConcluded, but in the example above licenseConcluded is set to NOASSERTION but for the copyrightText we have the empty string. That's why I meant in this case one could assume the empty string also means NOASSERTION as it would match the license.
The licenseConcluded is set to NOASSERTION but the copyrightText is not. Whereas it is not mandatory in the linked specs from the GitHub repo: https://spdx.github.io/spdx-spec/v2-draft/file-information/#88-copyright-text-field If it is not mandatory I would even say that ORT could totally ignore it if there is no valid entry. Lets see what the SPDX guys tell us. |
👍🏻 |
Interesting. When I set the text for an existing |
|
Indeed interesting, if I just add an file from our spdx to your example it is still valid. Thats what I added to files section {
"fileName": "/etc/X11/Xsession.d/90gpg-agent",
"SPDXID": "SPDXRef-File-etc-X11-Xsession.d-90gpg-agent-a17b5f10826a8aca",
"checksums": [
{
"algorithm": "SHA1",
"checksumValue": "0000000000000000000000000000000000000000"
}
],
"licenseConcluded": "NOASSERTION",
"copyrightText": "",
"comment": "layerID: sha256:f9eef85611c1fa226ded9a9d4fcc070448e050b7282bf662f32167ade49c4a03"
},But I also tried just removing the copyrightText from one file directly in the example and got the same warning. So there has to be some other setting or link or something that triggers that... |
This is because in version 2.2 of the spec, the |
But note that "not present" is not the same thing as "present and set to empty". |
See my comment above. It is valid if I copy the mentioned text into the SPDX2.2 example. |
With the statement from here, it has been clarified that proving a blank string for the In that regard ORT's behavior is strict, but correct, so I'm closing this. For making SPDX parsing optionally less strict also see #8052 (at the example of |
ORT is currently only supporting SPDX version 2.2, where is not clearly specified what to do if the copyrightText of a file is empty.
In Version 2.3 it is now defined to use NOASSERTION if the copyrightText is empty. Since this is not a major version update it should be the same in version 2.2.
See https://github.com/spdx/spdx-spec/blob/development/v2.3/schemas/spdx-schema.json#L520 and https://github.com/spdx/spdx-spec/blob/development/v2.2/schemas/spdx-schema.json#L441 to compare.
Another option would be to simply assume NONE if the string is empty. Either way, ORT should not report an error.
This seems to be similar to #6985
Excerpt from one of our users spdx json file:
The text was updated successfully, but these errors were encountered: