Update JSON schema

[goneall]

Update the JSON schema to be consistent with the current JSON example file.

• Remove the top level Document property
• Add documentNamespace

Signed-off-by: Gary O'Neall gary@sourceauditor.com

[goneall]

Resolves issue #527

[goneall]

@SamuraiAku - this PR should resolve the issue, however, when I run it through one of the online JSON schema validators with the current JSON example, it seems that everything validates - even an empty JSON file.

Let me know if you have any ideas on how to improve the JSON file and I'll update the PR.

BTW - This JSON schema file is generated by the SPDX Java tools

[SamuraiAku]

Edit: Nevermind, I was mistyping when searching for the change.

@goneall If you want to remove the Document overall property I guess that's OK. But that's not what I was looking for. We need a field for documentNamespace, section 2.5 of the spec. There is nothing for that now.

[goneall]

Added the SPDXID property to the Element classes which includes the SpdxDocument. This will resolve issue #529

[goneall]

I plan on improving the detail of the schema substantially over the next week. I'll be posting the improvements to this PR.

[goneall]

Added licenseConcluded and licenseDeclared to schema - resolve issue #530

[goneall]

Added the missing spdxElementId from relationships to the schema - resolves issue #531

[goneall]

Schema updated with required fields which forces validation. Resolved an issue where both fileName and name properties were on the files array - should only be fileName.

[goneall]

This schema should be good to go - I'd appreciate any reviews.

[goneall]

Renamed property describesPackages to documentDescribes - resolves issue #533

[goneall]

@SamuraiAku I would like to go ahead and merge this to resolve the following issues:

• JSON schema/example has describesPackages/documentDescribes property that has no equivalent in the spec #533
• JSON schema is missing the spdxElementId element from relationships #531
• JSON schema is missing licenseConcluded and licenseDeclared properties in the package level #530
• JSON schema is missing SPDXID property at the Document level #529
• Conversion of tag-value to JSON creates a field not in the schema #527

Let me know if you agree these are resolved.

I'll leave the other issues you identified open for further discussion.

[swinslow]

Hi @goneall, is this modifying the existing properties for JSON documents for SPDX 2.2?

I'm asking because @specter25 has been working on the JSON parsing / saving for the Golang tools for SPDX 2.2 as his GSoC project this summer, which has now concluded. Though I believe he has mostly been working from the example JSON file as the definition of SPDX JSON, so if this is just aligning the schema definition to fit with that example file, then hopefully that should be fine.

[goneall]

is this modifying the existing properties for JSON documents for SPDX 2.2?

@swinslow The intent is not to modify any of the existing properties. The intent is to make the current schema consistent with the JSON example file - which is our only other documentation on the JSON serialization format.

I did test this schema against the current JSON example using the JSON Schema Lint online tool and it passed.

If you have a chance, it would be helpful to run the output of the golang tools against the same schema. If you find any issues, we can discuss here and decide if it is a schema or tool issue.

[goneall]

@SamuraiAku @swinslow - Just pinging both of you for a review of this PR - let me know if you think this is OK to merge. I realize there are still some outstanding issues with the JSON schema this PR doesn't resolve - we can add additional PR's to handle those later.

[davaya]

In order to prevent the schema from validating everything including empty files, it's a good practice to include "additionalProperties": false on every object type. I also include string size limits (I picked 5,000 characters out of the air) for extracted texts - the precise number isn't that important, but an SPDX file with megabytes or gigabytes in one extracted license text is probably not valid.

We should have some invalid SPDX test files to ensure that the schema doesn't pass them - I'm sure there are plenty of examples from the NTIA plugfests, but haven't systematically gone through them yet. Checking for false positives is as important as eliminating false negatives.

A JSON schema generated from my SPDX-v2.2 information model also validates the current JSON example using JSON Schema Lint.

[goneall]

Thanks @davaya for the review! I added the additionalProperties as suggested. I didn't add the length restrictions since they are not currently included in the spec (something we should probably add).

BTW - it looks like your schema is much more complete. We should consider using your schema in future releases.

[SamuraiAku]

@SamuraiAku I would like to go ahead and merge this to resolve the following issues:

• JSON schema/example has describesPackages/documentDescribes property that has no equivalent in the spec #533
• JSON schema is missing the spdxElementId element from relationships #531
• JSON schema is missing licenseConcluded and licenseDeclared properties in the package level #530
• JSON schema is missing SPDXID property at the Document level #529
• Conversion of tag-value to JSON creates a field not in the schema #527

Let me know if you agree these are resolved.

I'll leave the other issues you identified open for further discussion.

@goneall Sorry for not replying earlier. I agree that you have resolved these issues.