Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The tool is validating invalid SPDX documents #36

Closed
rnjudge opened this issue Oct 21, 2021 · 6 comments
Closed

The tool is validating invalid SPDX documents #36

rnjudge opened this issue Oct 21, 2021 · 6 comments

Comments

@rnjudge
Copy link

rnjudge commented Oct 21, 2021
edited
Loading

While generating spdx json documents from Tern, @maxhbr found a bug in the Tern SPDX JSON document that was not caught by the latest tools-java-1.0.2-jar-with-dependencies.jar release. He found the bug using jsonschema validation.

$ jsonschema -i tern.spdx.json  spdx-schema.json
Tool: tern-2.8.0: 'Tool: tern-2.8.0' is not of type 'array'
false: 'false' is not of type 'boolean'
true: 'true' is not of type 'boolean'
{'name': 'layer.tar', 'SPDXID': 'SPDXRef-0b40512829', 'fileName': '50445ea47417946f2e6f276a78dcf8 [...] , 'LicenseRef-884dc06']}: Additional properties are not allowed ('fileName' was unexpected)
false: 'false' is not of type 'boolean'
None: None is not of type 'string'

Specifically missed errors in the document (more details here):

  • creators is a string and not an array
  • filesAnalyzed is a "false" string instead of a boolean
  • One package name was using the fileName key but it should be packageFileName
  • Some package names are null instead of a string

I will fix this in Tern but also wanted to raise the issue here since we use this tooling suite to verify our documents are valid when we make changes to them.
@goneall
Copy link
Member

goneall commented Oct 21, 2021

Thanks @rnjudge for raising this issue.

Can you attach a JSON file which should have failed?

I was just working on some other validation related issues and it would be an ideal time to address these as well.

@maxhbr
Copy link
Member

maxhbr commented Oct 22, 2021

I have uploaded the JSON file generated with tern: tern.spdx.json.gz

@goneall
Copy link
Member

goneall commented Oct 22, 2021

Thanks @maxhbr

I verified the issue - it looks like all the verification is done after it is deserialized by Jackson - which seems to be very forgiving.

I think we should add a verification against the JSON Schema to the verify code.

@goneall goneall mentioned this issue Oct 22, 2021
Merged
@goneall
Copy link
Member

goneall commented Oct 22, 2021

I created PR #37 which catches one of the 3 validation errors.

It is not flagging the null packageName, fileName instead of pacakgeFileName, nor the string value for the Boolean filesAnalyzed.

@maxhbr Do you have open source validation code which is catching all of these? If so, can you point to the code so I can compare notes?

@maxhbr
Copy link
Member

maxhbr commented Oct 24, 2021

The CLI tool that generated the output above is https://github.com/Julian/jsonschema.

@goneall
Copy link
Member

goneall commented Nov 7, 2021

Resolved with PR #37

@goneall goneall closed this as completed Nov 7, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@goneall @maxhbr @rnjudge