Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Multiple DESCRIBES relationships are not validated consistently #44

Open
armintaenzertng opened this issue Oct 13, 2022 · 2 comments · May be fixed by #45
Open

Multiple DESCRIBES relationships are not validated consistently #44

armintaenzertng opened this issue Oct 13, 2022 · 2 comments · May be fixed by #45
Labels
wontfix This will not be worked on

Comments

@armintaenzertng
Copy link

armintaenzertng commented Oct 13, 2022
edited
Loading

Not sure whether this is a tools-java or spdx-java-library issue. I generate a document using the following method:

public static void buildDocument() throws InvalidSPDXAnalysisException, IOException {

    var modelStore = new MultiFormatStore(new InMemSpdxStore(), MultiFormatStore.Format.XML, MultiFormatStore.Verbose.COMPACT);
    var documentUri = "https://some.namespace";
    var copyManager = new ModelCopyManager();

    var document = SpdxModelFactory.createSpdxDocument(modelStore, documentUri, copyManager);
    document.setName("document name");

    var sha1Checksum = Checksum.create(modelStore, documentUri, ChecksumAlgorithm.SHA1, "d6a770ba38583ed4bb4525bd96e50461655d2758");

    var fileA = document.createSpdxFile("SPDXRef-fileA", "./fileA.c", null,
                    List.of(), null, sha1Checksum)
            .build();

    document.getDocumentDescribes().add(fileA);

    document.addRelationship(
            document.createRelationship(
                    fileA, RelationshipType.DESCRIBES, null
            )
    );

    assert document.verify().isEmpty();

    modelStore.serialize(documentUri, new FileOutputStream("temp.xml"));
}

Note the assert statement that indicates that the generated document is valid.
The above yields the following output in temp.xml:

<?xml version='1.0' encoding='UTF-8'?>
<Document>
  <SPDXID>SPDXRef-DOCUMENT</SPDXID>
  <spdxVersion>SPDX-2.3</spdxVersion>
  <creationInfo>
    <created>2022-10-13T12:37:44Z</created>
    <creators>Tool: SPDX Tools</creators>
    <licenseListVersion>3.18</licenseListVersion>
  </creationInfo>
  <name>document name</name>
  <dataLicense>CC0-1.0</dataLicense>
  <documentDescribes>SPDXRef-fileA</documentDescribes>
  <documentNamespace>https://some.namespace</documentNamespace>
  <files>
    <SPDXID>SPDXRef-fileA</SPDXID>
    <checksums>
      <algorithm>SHA1</algorithm>
      <checksumValue>d6a770ba38583ed4bb4525bd96e50461655d2758</checksumValue>
    </checksums>
    <fileName>./fileA.c</fileName>
  </files>
  <relationships>
    <spdxElementId>SPDXRef-DOCUMENT</spdxElementId>
    <relationshipType>DESCRIBES</relationshipType>
    <relatedSpdxElement>SPDXRef-fileA</relatedSpdxElement>
  </relationships>
</Document>

But now, when I call

java -jar tools-java-1.1.1-jar-with-dependencies.jar Verify temp.xml

I get the following error:

Analysis exception processing SPDX file: Relationships are expected to be in an array for type Relationship

Thus, the tools-java and spdx-java-library Verify methods seem to contradict each other.

This also raises the question of the value of a DESCRIBES relationship when the tag documentDescribes already exists.
@goneall
Copy link
Member

goneall commented Oct 14, 2022

@armintaenzertng I was able to duplicates this with a unit test. From trying out various scenarios, it looks like this only occurs in the XML form and only if you add a duplicate document describes through a new relationship rather than adding it to the describes collection.

I'll transfer this to the spdx-java-jackson-store which implements the XML format.

I suspect the issue is related to a de-duplication algorithm to prevent duplicate relationships from being serialized.

Since this is a very unlikely scenario for normal use, I'm not planning on doing much more work on this issue - but feel free to look into it in the code if you feel this is an important issue to resolve. Pull requests are welcome. I'll create a draft PR with the unit test.

@goneall
Copy link
Member

goneall commented Oct 14, 2022

This also raises the question of the value of a DESCRIBES relationship when the tag documentDescribes already exists.

There was a discussion on this in the SPDX spec repo and it was decided that the tag/value, JSON, and YAML formats will use the describes tag even though the the relationship already exists. The actual SPDX Model uses relationships for the hasFiles and documentDescribes property implementation. These tags are just added as a convenience for the serialization and desearlization in these formats.

@goneall goneall transferred this issue from spdx/tools-java Oct 14, 2022
@goneall goneall linked a pull request Oct 14, 2022 that will close this issue
Draft
@goneall goneall linked a pull request Oct 14, 2022 that will close this issue
Add a unit test which duplicates issue#44 #45
Draft
@goneall goneall added the wontfix This will not be worked on label Oct 30, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
wontfix This will not be worked on
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add a unit test which duplicates issue#44 spdx/spdx-java-jackson-store
2 participants
@goneall @armintaenzertng