Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid SPDX: missing copyright text #3346

Closed
vargenau opened this issue Oct 18, 2024 · 3 comments · Fixed by #3495
Closed

Invalid SPDX: missing copyright text #3346

vargenau opened this issue Oct 18, 2024 · 3 comments · Fixed by #3495
Assignees
@willmurphyscode
Labels
bug Something isn't working good-first-issue Good for newcomers

Comments

@vargenau
Copy link
Contributor

What happened:

Generated SPDX is invalid, mandatory copyright text is missing

What you expected to happen:

SPDX should be valid

Steps to reproduce the issue:

syft docker:bitnami/mongodb:6.0.6-debian-11-r0 --scope all-layers -o [email protected] > mongodb-6.0.6-debian-11-r0.spdx

Anything else we need to know?:

Environment:

  • Output of syft version:
Application: syft
Version:    1.14.1
BuildDate:  2024-10-15T12:50:47Z
GitCommit:  Homebrew
GitDescription: [not provided]
Platform:   darwin/arm64
GoVersion:  go1.23.2
Compiler:   gc
  • OS (e.g: cat /etc/os-release or similar):
    macOS 14.7
@vargenau vargenau added the bug Something isn't working label Oct 18, 2024
@anchore anchore deleted a comment from BlowMeMike Oct 28, 2024
@kzantow
Copy link
Contributor

kzantow commented Oct 28, 2024

Hey @vargenau -- would you mind posting the error you are getting? We seem to be having issues running the online validator on this SBOM. Thanks!

@vargenau
Copy link
Contributor Author

Hello,

It's better to download and install locally the Java tools https://github.com/spdx/tools-java or the Python tools https://github.com/spdx/tools-python than using the online tools for big SPDX files.

This is the generated SBOM:
mongodb-6.0.6-debian-11-r0.spdx.txt

Running

pyspdxtools -i mongodb-6.0.6-debian-11-r0.spdx

gives the following result:
pyspdxtools.txt

Most errors are related to #2093

But for this bug report you have:

copyright_text is mandatory in SPDX-2.2

The Java tools give:
javatools.zip

@kzantow
Copy link
Contributor

kzantow commented Oct 29, 2024

Thanks @vargenau. I do see the Copyright Text is a mandatory field in SPDX 2.2. We should default this to NOASSERTION, like we do for other required fields. I've added this to the backlog and always happy to review any pull requests!

@kzantow kzantow added the good-first-issue Good for newcomers label Oct 29, 2024
@kzantow kzantow moved this to Ready in OSS Oct 29, 2024
Fearkin added a commit to Fearkin/syft that referenced this issue Nov 21, 2024
@Fearkin
fixes issue anchore#3346
e500213
@Fearkin Fearkin mentioned this issue Nov 21, 2024
Closed
4 tasks
Fearkin added a commit to Fearkin/syft that referenced this issue Nov 21, 2024
@Fearkin
fixes issue anchore#3346
28801f8 
Signed-off-by: Fearkin <[email protected]>
@spiffcs spiffcs mentioned this issue Dec 3, 2024
Merged
4 tasks
@willmurphyscode willmurphyscode self-assigned this Dec 4, 2024
@willmurphyscode willmurphyscode moved this from Ready to In Progress in OSS Dec 4, 2024
@wagoodman wagoodman moved this from In Progress to In Review in OSS Dec 4, 2024
willmurphyscode added a commit that referenced this issue Dec 4, 2024
@spiffcs @Fearkin @willmurphyscode
fix: emit NOASSERTION for copyright text to fix SPDX 2.2 validation f…
4819023 
…ailure (#3495)

* fixes issue #3346

Signed-off-by: Fearkin <[email protected]>

* chore: update schema and unit tests to reflect new copyright property

Signed-off-by: Christopher Phillips <[email protected]>

* chore: revert schema changes

Signed-off-by: Christopher Phillips <[email protected]>

* fix: noassert copyright on spdx root package

Signed-off-by: Will Murphy <[email protected]>

* test: explicitly test spdx 2.2 with tools-java validator

Signed-off-by: Will Murphy <[email protected]>

* test: update snapshot files

Signed-off-by: Will Murphy <[email protected]>

---------

Signed-off-by: Fearkin <[email protected]>
Signed-off-by: Christopher Phillips <[email protected]>
Signed-off-by: Will Murphy <[email protected]>
Co-authored-by: Fearkin <[email protected]>
Co-authored-by: Will Murphy <[email protected]>
@github-project-automation github-project-automation bot moved this from In Review to Done in OSS Dec 4, 2024
@BrewTestBot BrewTestBot mentioned this issue Dec 9, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@willmurphyscode willmurphyscode

Labels
bug Something isn't working good-first-issue Good for newcomers
Projects
OSS
Archived in project
Milestone
No milestone
3 participants
@vargenau @kzantow @willmurphyscode