ntia-checker fails for files under fileName must not be an absolute path

Question

ntia-checker fails for files under fileName must not be an absolute path

m-dhana opened this issue a year ago · comments

m-dhana commented a year ago

Failure message is
file name must not be an absolute path starting with "/", but is: /etc/alternatives/README

Nta-checker version is - 0.5.0

John Speed Meyers · Answer 1 · Wed Aug 30 2023 05:17:47 GMT+0800 (China Standard Time)

Thanks, @m-dhana, for the bug report!

Would you mind providing the SBOM you used? Or a stylized version of that SBOM? That would help in debugging this issue.

m-dhana · Answer 2 · Wed Aug 30 2023 05:26:26 GMT+0800 (China Standard Time)

@jspeed-meyers - Unfortunately, I cannot give the SBOM. All, I say is the error message is getting displayed when the sbom files has this info

"files": [ { "fileName": "/a/b/c/d", "SPDXID": "SPDXRef-File-xyz", "checksums": [ { "algorithm": "SHA1", "checksumValue": "0000000000000000000000000000000000000000" } ], "licenseConcluded": "NOASSERTION", "copyrightText": "", "comment": "layerID: sha256:123" },

John Speed Meyers · Answer 3 · Wed Aug 30 2023 07:40:18 GMT+0800 (China Standard Time)

@m-dhana, understood. We'll do our best to debug :)

John Speed Meyers · Answer 4 · Sun Sep 03 2023 09:34:55 GMT+0800 (China Standard Time)

@m-dhana:

I did a little digging and this is what I provisionally found.

First, I changed line 194 in SPDXRdfExample-v2.3.spdx.rdf.xml in tests/data/no_elements_missing to:

<spdx:fileName>/etc/alternatives/README</spdx:fileName>

and when I ran the tool on it, I got the type of error you documented:

The provided document is not valid according to the SPDX specification. The following errors were found:

file name must not be an absolute path starting with "/", but is: /etc/alternatives/README

I then dug into the SPDX specification and found section 3.4 on "Package File Name," which says:

3.4.2 Intent: Here, the actual file name of the compressed file containing the package may be a significant technical element that needs to be included with each package identification information. If a grouping, like a set of files in a subdirectory, is being treated as a package, the subdirectory name may be appropriate to provide. Subdirectory name is preceeded with a “./”,

So I think the "bug" is not a bug from the perspective of the SPDX specification and the python-tools implementation. (python-tools is the awesome SPDX python library underlying `ntia-conformance-checker.) In other words, I think that if you add . "./" at the beginning of the files, then you will not receive an error. When I change the file name to ./etc/alternatives/README, I no longer get an error.

Does this make sense? Thoughts? If it's helpful, I can @ the relevant maintainers from spdx-tools. Thank you, again, for the bug report~

m-dhana · Answer 5 · Tue Sep 05 2023 13:26:33 GMT+0800 (China Standard Time)

@jspeed-meyers - Thank you for researching.
Yes, as per this article https://spdx.dev/spdx-specification-21-web-version/#h.37m2jsg the file name should start with "./".
I will make the changes needed.
Closing this ticket.