Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid SPDX with empty file: no SHA1 #3250

Closed
vargenau opened this issue Feb 13, 2023 · 6 comments · Fixed by #3279
Closed

Invalid SPDX with empty file: no SHA1 #3250

vargenau opened this issue Feb 13, 2023 · 6 comments · Fixed by #3279
Labels

Comments

@vargenau
Copy link
Contributor

Description

Generated SPDX is invalid as no SHA1 is provided.

FileName: ./phpwiki/blank.htm
SPDXID: SPDXRef-3
FileChecksum: SHA1:
LicenseConcluded: NOASSERTION
LicenseInfoInFile: NONE
FileCopyrightText: NONE

How To Reproduce

svn checkout https://svn.code.sf.net/p/phpwiki/code/trunk phpwiki
./scancode -c -l -i --license-text --spdx-tv phpwiki.spdx phpwiki

System configuration

./scancode --version
ScanCode version: 32.0.0rc1
ScanCode Output Format version: 3.0.0
SPDX License list version: 3.19

Ubuntu 22.10

@vargenau vargenau added the bug label Feb 13, 2023
@vargenau
Copy link
Contributor Author

Resulting SPDX file:

phpwiki.spdx.txt

There are 4 empty files that have no SHA1.

@AyanSinhaMahapatra
Copy link
Member

Thanks for the report!

This is tracked here: #461

vargenau added a commit to vargenau/scancode-toolkit that referenced this issue Feb 27, 2023
@vargenau
Copy link
Contributor Author

I have provided a fix: #3279

The SHA1 for an empty file is hard-coded, there is perhaps a better way to do it.

@pombredanne
Copy link
Member

Thanks. This works as a fix! In earnest this is a major wart in SPDX. Because of this and a few other, I never saw a package verification code matching when computed by two different tools :]

@Jeeppler
Copy link

@vargenau why not just calculating the sha1 sum for an empty file, like for any other file?

I mean I do get the same value as you have hard-coded:

$ sha1sum empty 
da39a3ee5e6b4b0d3255bfef95601890afd80709  empty

However, that means you have to differentiate between empty and non empty files.

@vargenau
Copy link
Contributor Author

I will let @pombredanne and @AyanSinhaMahapatra comment.
My understanding is that they do not want to store the SHA1 of empty files because that would make all empty files match.
So as the SHA1 is not stored, I have to put it in at the time of SPDX creation (in order to have valid SPDX).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants