tools-java should issue an error for absolute FileName
vargenau opened this issue · comments
Anchore Syft tool generates the following SPDX (tag:value):
FileName: /usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt
SPDXID: SPDXRef-File-...Actalis-Authentication-Root-CA.crt-b2e28e6876228bbb
FileType: TEXT
FileChecksum: SHA1: 511ca95607022a99ed8e68bd63f136c4854cefcb
LicenseConcluded: NOASSERTION
FileComment: layerID: sha256:3f946b95045046b182ad195bfdb24fe56dd6ea12d34e35a0995218d22c05102a
tools-python complains that it is invalid SPDX.
file name must not be an absolute path starting with "/", but is: /usr/share/ca-certificates/mozilla/Actalis_Authentication_Root_CA.crt
tools-java says that the SPDX file is valid
The SPDX spec says: "A relative filename".
So I would expect tools-java to mark the file as invalid.
I agree - the validation for the SPDX file path name is in the SPDX Java Library - so I'm transferring the issue there.
Yes, I would only forbid absolute paths, those starting with "/".
The spec says "In general, every filename is preceded with a ./", so this seem to be a recommendation, not something mandatory.
I will ask the opinion of the community in the tech mailing list.
It seems the community agrees that only paths starting with "/" should be rejected.
Paths are not required to start with "./".
Thanks @vargenau for checking on this - I've updated the PR to only reject the absolute paths.