Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

InvalidSPDXAnalysisException with Missing SPDX element for ID is thrown #61

Open
chbaeumer opened this issue May 26, 2023 · 5 comments
Open

InvalidSPDXAnalysisException with Missing SPDX element for ID is thrown #61

chbaeumer opened this issue May 26, 2023 · 5 comments

Comments

@chbaeumer
Copy link

The function restoreRelationships is throwing an InvalidSPDXAnalysisException if an element for the given elementId cannot be found within the addedElements, i.e. the elements of the current SPDX file.

Due to the definition of the SPDX we have a lot relationship types where the order is reversed like CONTAINED_BY, GENERATED_FROM, etc. In this cases I would expect that addedFiles contains the relatedSpdxElement.
@goneall
Copy link
Member

goneall commented May 27, 2023

The current SPDX model has the relationships as a property of the SPDX element, so it needs to be in the current SPDX document so it can be added to the element. Reference the SPDX 2.3 model diagram Element class - you'll see relationship is a property.

Note that in the SPDX 3.0 model relationships are standalone - actually, elements themselves, so we can fix it once SPDX 3.0 is implemented.

@chbaeumer
Copy link
Author

Thank you for your response.
It has to be fixed somehow. For better understanding: I am trying to parse the spdx output of a linux image created with the yocto framework. There you have a starting point (aka driver spdx file). All other ~2500 file are referenced via external document references. I want to make sure that the whole set of spdx files are valid and transform them to a different format like you did with your "do-convert". I read the externalRefs in a pre process to build a graph to load the spdx files in the correct order to circumvent a lot of errors.
But as I said: due to the nature of spdx not all elements are in the set of addedElements of a file. In most cases it is vice versa.

Example:

External reference SPDX/img/recipe-gettext-minimal-native.spdx.json loaded
Error creating SPDX document from SPDX/img/recipe-autoconf-native.spdx.json: Missing SPDX element for ID DocumentRef-dependency-recipe-gettext-minimal-native:SPDXRef-Recipe-gettext-minimal-native

which is defined as

{ "relatedSpdxElement": "SPDXRef-Recipe-autoconf-native", "relationshipType": "BUILD_DEPENDENCY_OF", "spdxElementId": "DocumentRef-dependency-recipe-gettext-minimal-native:SPDXRef-Recipe-gettext-minimal-native" },

And as you can see in the first code line above I loaded recipe-gettext-minimal-native just before.

Do you have any hint how to solve this?

@goneall
Copy link
Member

goneall commented May 31, 2023

Do you have any hint how to solve this?

I don't have any great solutions, but I can think of a few possibilities (all admittedly less than perfect):

  • Use DEPENDS_ON and reverse the direction of the relationship so that the "from" part of the relationship is defined in the SPDX document. This isn't as precise as BUILD_DEPENDENCY_OF, but will at least capture the information. You can include a relationship comment to capture that this is a build dependency. The approach we took in SPDX 2.X was to have symmetrical relationships to solve this. It looks like we didn't do this for BUILD_DEPENDENCY_OF.
  • Copy the from part of the relationship into the SPDX document removing the need for the external document reference - from your comment above, it looks like this isn't feasible - but I thought I would mention it as a possibility
  • Wait for the SPDX 3.0 release and use the new relationship structure - this fully solves the issue, but the spec isn't quite ready yet. I'm working on a new version of the libraries with a prototype SPDX 3.0 support. Hoping to have it ready in the next 3 weeks or so.
  • Add a new BUILD_DEPENDENCY_FOR relationship type and create a dot release for the SPDX 2.X spec - we would have some challenges getting support for a new dot release since 3.0 is almost out, but I thought I would add this for completeness.

@chbaeumer
Copy link
Author

I do it in a different way now. I assume that the spdxElement always gets the relationship.
I changed your implemention in that way if the spdxElement is an IndividualUriValueI move the relationship during the restore into the namespace of the IndividualUriValue, do same convertions and create there a new ExternalDocumentRef.

This works now for

  • spdxElement is IndividualUriValue and relatedSpdxElement is TypedValue
  • spdxElement is IndividualUriValue and relatedSpdxElement is IndividualUriValue

If spdxElement is a TypedValue nothing has changed.

As soon as a I have my clearance from my company to distribute to OSS I will try to create a fork and pull request.

@goneall
Copy link
Member

goneall commented Jun 6, 2023

Thanks @chbaeumer - I look forward to the PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@goneall @chbaeumer