-
Notifications
You must be signed in to change notification settings - Fork 36
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The tool is validating invalid SPDX documents #36
Comments
Thanks @rnjudge for raising this issue. Can you attach a JSON file which should have failed? I was just working on some other validation related issues and it would be an ideal time to address these as well. |
I have uploaded the JSON file generated with tern: tern.spdx.json.gz |
Thanks @maxhbr I verified the issue - it looks like all the verification is done after it is deserialized by Jackson - which seems to be very forgiving. I think we should add a verification against the JSON Schema to the verify code. |
I created PR #37 which catches one of the 3 validation errors. It is not flagging the null @maxhbr Do you have open source validation code which is catching all of these? If so, can you point to the code so I can compare notes? |
The CLI tool that generated the output above is https://github.com/Julian/jsonschema. |
Resolved with PR #37 |
While generating spdx json documents from Tern, @maxhbr found a bug in the Tern SPDX JSON document that was not caught by the latest
tools-java-1.0.2-jar-with-dependencies.jar
release. He found the bug using jsonschema validation.Specifically missed errors in the document (more details here):
creators
is a string and not an arrayfilesAnalyzed
is a "false" string instead of a booleanfileName
key but it should bepackageFileName
null
instead of a stringI will fix this in Tern but also wanted to raise the issue here since we use this tooling suite to verify our documents are valid when we make changes to them.
The text was updated successfully, but these errors were encountered: