Add support for SPDX Spec version 3 #167
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Gary O'Neall <gary@sourceauditor.com>
Signed-off-by: Gary O'Neall <gary@sourceauditor.com>
Signed-off-by: Gary O'Neall <gary@sourceauditor.com>
Signed-off-by: Gary O'Neall <gary@sourceauditor.com>
Signed-off-by: Gary O'Neall <gary@sourceauditor.com>
Signed-off-by: Gary O'Neall <gary@sourceauditor.com>
Signed-off-by: Gary O'Neall <gary@sourceauditor.com>
Signed-off-by: Gary O'Neall <gary@sourceauditor.com>
Signed-off-by: Gary O'Neall <gary@sourceauditor.com>
AlfredoEspinosa
added a commit
to AlfredoEspinosa/tools-java
that referenced
this pull request
Jun 25, 2025
* Generation missing required properties for arrays Resolves issue spdx#57 Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Make list required property names plural Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Fix documentation for license text Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update library dependencies for version 2.3 of the SPDX spec Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Add version 2.3 test files Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update dependencies and bump version Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Fix JSON test file Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Bump version Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * updated README to reflect the new file names and structures Signed-off-by: Armin Tänzer <armintaenzer@tngtech.com> * updated CompareDocs method name in README Signed-off-by: Armin Tänzer <armintaenzer@tngtech.com> * Verify JSON against version specific schema files Resolves issue spdx#74 Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Resolve compare issues (spdx#70) * Fix compare spreadsheet name normalization Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Additional checks for compares - Check creator comment differences - Check to make sure there are no duplicate document namespaces Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Remove temp file Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update POM file with the latest library dependencies Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Use unique document URI's for all test files Signed-off-by: Gary O'Neall <gary@sourceauditor.com> Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update JSON schema Allows for both dashes and underscores in enumeration values Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Add dependency-check util to POM file Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update library version Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Bump version Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update schema generator for required fields See spdx/spdx-spec#795 for context on documentDescribes See spdx/spdx-spec#792 for context on enum underscores Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Add support for RDF Turtle format Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Correct output type for TTL format Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Add extra checks for NPE on getUri() Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Add filename to message for InvalidFileNameException Fixes spdx#83 Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update library versions to 1.1.2 Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update POM file for release 1.1.2 Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Bump version Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Change maven assembly to shade for jar-with-dependencies Fixes spdx#88 This change was needed to properly load Jena See https://jena.apache.org/documentation/notes/jena-repack.html Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Remove extra shade transformers Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Set the XMLInputFactory property for RDF files Fixes spdx#90 See Jena issue 2331 for more information: https://issues.apache.org/jira/browse/JENA-2331 Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update POM file for release Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Bump version Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update version in Main.java Fixes spdx#94 * Add missing word "to" in "due to" Signed-off-by: Timothy Gillespie <tgillespie@kanzlei-jun.de> * Add option to not copy license details Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update SPDX Java libraries to version 1.1.3 Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update version of dependency track Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update version to 1.1.4 for release Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Bump version Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * feature(docker): Create docker container and push to ghcr Leverage tool with two possible usage methods: - Straight from docker run and a regular entrypoint - Inside docker image using wrapper `tools-java` available on PATH Signed-off-by: Helio Chissini de Castro <heliocastro@gmail.com> * Update POM with correct Java versions The indirect dependency on Apache Jena requires Java 11 This commit updates the POM file to reflect the correct Java versions in the POM file Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Turn off doclint Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Switch form source/target to release in Maven compiler Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update SPDX libraries to version 1.1.4 This commit also updates the POM file to enforce Java 11 which is required due to an indirect depenendency on Apache Jena Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update version for release Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Bump version Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update jar name in the examples Update jar name in the examples: tools-java-1.1.5-jar-with-dependencies.jar Signed-off-by: Marc-Etienne Vargenau <marc-etienne.vargenau@nokia.com> * Add SpdxVersion.java Add SpdxVersion class to store and handle version information of tools, library and license list. Signed-off-by: Hirumal Priyashan <hirupriyashanrc@gmail.com> * Add project.properties Add programmatically retrieving version number from `pom.xml` Signed-off-by: Hirumal Priyashan <hirupriyashanrc@gmail.com> * Catch JSON exceptions in verify Improves error messages. Previously, a JSON parsing error would be reported as a file I/O error. Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Support JSON, YAML, XML (and tag/value) file types for SPDX Viewer Fixes spdx#116 Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update JSON schema Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update JSON schema to latest Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update SPDX libraries to version 1.1.5 Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Only warn for verify deprecated license IDs Fixes spdx#123 Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update SPDX libraries Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Check for duplicate document URI in compare Fixes spdx#117 Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update version for release' Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Bump version Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update CI to use JDK 17 Required by Sonar-Cloud * Update library versions Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update OWL schema to include deprecated Also adds a '$schema' field. Fixes spdx#144 Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Document supported spec versions Fixes spdx#130 * Update POM to use the release plugin Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Fix SCM connection in POM Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * [maven-release-plugin] prepare release v1.1.8 * [maven-release-plugin] prepare for next development iteration * Update README.md to version 1.1.8 Signed-off-by: Marc-Etienne Vargenau <marc-etienne.vargenau@nokia.com> * adding slf4j-simple as uber jar won't allow using it via classpath * use slf4j-simple, don't propagate it making slf4j-simple <optional>, so it is not passed to maven projects adding slf4j-simple content to uberjar so it is used for command line * Add support for SPDX Spec version 3 (spdx#167) * Updated for SPDX spec version 3 changes to the library Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Remove type from ModelCopyManager interface Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Partial implementation of SPDX 3 support Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Implented SpdxConverter for SPDX V3 Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Implement verify for spec version 3 Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update to SPDX 3.0.1 Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Fix schema and update deps for release Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Handle JSON-LD files that may end in '.json' Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Remove unused dependency check suppresses Signed-off-by: Gary O'Neall <gary@sourceauditor.com> --------- Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * [maven-release-plugin] prepare release v2.0.0-Alpha * [maven-release-plugin] prepare for next development iteration * Update README for release Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Update README for release Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Add JSONLD to the documenation for supported file types Signed-off-by: Gary O'Neall <gary@sourceauditor.com> * Add instructions in README to convert to SPDX 3. Signed-off-by: Marc-Etienne Vargenau <marc-etienne.vargenau@nokia.com> * Update to SPDX Spec 3.0.1 * [maven-release-plugin] prepare release v2.0.0-RC1 * [maven-release-plugin] prepare for next development iteration * Remove unused code Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Check if getCreationInfo is null before access Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Fix small typo Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Fix typo for DOWNLOAD_FIELD_TEXT value "Dowload Location" -> "Download Location" Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Fix small typos in variable and protected method names Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Update schemas to the 3.0.1 released version * Remove debug code + Add assertion Also rename spdx-2-2-revision-8-onotology.owl -> spdx-2-2-revision-8-ontology.owl Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Add few assertions Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Update src/main/java/org/spdx/tools/Verify.java Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> Co-Authored-By: Gary O'Neall <gary@sourceauditor.com> * Update src/main/java/org/spdx/tools/Verify.java Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> Co-authored-by: Gary O'Neall <gary@sourceauditor.com> * Initialize models in the Main This fixes a failure when executing the version command. Note that multiple calls to init will not cause any issue and has minimal performance impact. * Update versions for SPDX libraries * [maven-release-plugin] prepare release v2.0.0-RC2 * [maven-release-plugin] prepare for next development iteration * Update README with RC2 Signed-off-by: Marc-Etienne Vargenau <marc-etienne.vargenau@nokia.com> * Add a step to update the README on new releases * Standardise SPDX header in source files Also fix few typos Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Add missing copyright headers Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Add newline character at the end of file Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Update package-info.java Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Add back copyright notice text Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Add back copyright notice text Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Add back copyright notice text Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Add back copyright notice text Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Add Javadoc comments Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Update GitHub Actions Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Fix 'build.plugins.plugin.version' is missing warning Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Add JSON schema latest version check Check content of local schema file with the remote location. Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Update spdx-schema-v3.0.1.json Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Use URI.created().toURL() instead of new URL() - URI.created().toURL() is available since Java 1.4 - new URL() (constructor) is deprecated in Java 20 Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Update SPDX libraries version in POM - java-spdx-library to 2.0.0 - spdx-rdf-store to 2.0.0 - spdx-jackson-store to 2.0.0 - spdx-spreadsheet-store to 2.0.0 - spdx-tagvalue-store to 2.0.0 - spdx-v3jsonld-store to 1.0.0 Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Update com.networknt:json-schema-validator Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Only update dep to latest patch version Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Update org.apache.poi/poi to 5.4.1 Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Normalize whitespace in schema compare unit test Fixes an issue where the compare fails if run on a windows environment where CRLF is used instead of LF * [maven-release-plugin] prepare release v2.0.0 * [maven-release-plugin] prepare for next development iteration * spdx-maven-plugin == 1.0.0 Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * Fix Shade plugin version to 3.2.4 Fixes spdx#201 Later versions of the shade plugin strip out the dependencies in the POM file. * Update JAR name in command line examples to 2.0.0 - Update JAR name in command line examples to version 2.0.0 - Fix few Markdown issues - Add Javadoc link * Bump version of SPDX Jackson Store * [maven-release-plugin] prepare release v2.0.1 * [maven-release-plugin] prepare for next development iteration * Update README examples with new release versions * Update spdx-maven-plugin and spdx-jackson-store Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> * spdx-schema-v2.3.json: fix OPERATING-SYSTEM package intent For Wolfi container at cgr.dev/chainguard/wolfi-base, trivy for spdx json SBOM generates ```json { "name": "wolfi", "SPDXID": "SPDXRef-OperatingSystem-2bccf727fe0bc7f8", "versionInfo": "20230201", "downloadLocation": "NONE", "filesAnalyzed": false, "primaryPackagePurpose": "OPERATING-SYSTEM", "annotations": [ { "annotator": "Tool: trivy-0.62.1", "annotationDate": "2025-05-28T17:07:25Z", "annotationType": "OTHER", "comment": "Class: os-pkgs" }, { "annotator": "Tool: trivy-0.62.1", "annotationDate": "2025-05-28T17:07:25Z", "annotationType": "OTHER", "comment": "Type: wolfi" } ] } ``` Which fails validating with tools-java because "OPERATING-SYSTEM" value is with a dash, which matches the spec at https://spdx.github.io/spdx-spec/v2.3/package-information/#724-primary-package-purpose-field Given tools in wild follow the spec, imho it is relatively safe to update the schema here. Note we have PACKAGE_MANAGER PACKAGE-MANAGER saga before, so do help me validating any other tools that might be impacted, so far I see this schema file being the only one out of line. --------- Signed-off-by: Gary O'Neall <gary@sourceauditor.com> Signed-off-by: Armin Tänzer <armintaenzer@tngtech.com> Signed-off-by: Helio Chissini de Castro <heliocastro@gmail.com> Signed-off-by: Marc-Etienne Vargenau <marc-etienne.vargenau@nokia.com> Signed-off-by: Hirumal Priyashan <hirupriyashanrc@gmail.com> Signed-off-by: Arthit Suriyawongkul <arthit@gmail.com> Co-authored-by: Gary O'Neall <gary@sourceauditor.com> Co-authored-by: Armin Tänzer <armintaenzer@tngtech.com> Co-authored-by: TimothyGillespie <timothy@gillespie.eu> Co-authored-by: Helio Chissini de Castro <heliocastro@gmail.com> Co-authored-by: Marc-Etienne Vargenau <marc-etienne.vargenau@nokia.com> Co-authored-by: Hirumal Priyashan <hirupriyashanrc@gmail.com> Co-authored-by: vanrenter <jeremie.van.renterghem@gmail.com> Co-authored-by: Arthit Suriyawongkul <arthit@gmail.com> Co-authored-by: Dimitri John Ledkov <dimitri.ledkov@surgut.co.uk>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Mostly stable, but does generate some warnings.