Incorrect successful parsing of invalid SPDX identifier fields

[awyeth]

SPDX identifiers require the SPDXRef- prefix and DocumentRef identifiers require the DocumentRef- prefix.

See spec details 6.3, 7.2, and 8.2

Currently, if the SPDXRef- prefix isn't present then the SBOM is parsed and the ID is accepted verbatim. Further, on being written out the SBOM will have the SPDXRef- prefix added.

Note, this also means that SPDXRef- is an accepted ID.

For example, the following SBOM:

{
  "SPDXID" : "SPDXRef-DOCUMENT",
  "spdxVersion" : "SPDX-2.3",
  "creationInfo" : {
    "created" : "2023-07-18T12:27:48Z",
    "creators" : [ "Person: Gary O'Neall", "Tool: spdx-maven-plugin" ],
    "licenseListVersion" : "3.21"
  },
  "name" : "tools-java",
  "dataLicense" : "CC0-1.0",
  "documentDescribes" : [ "SPDXRef-8" ],
  "documentNamespace" : "test",
  "packages" : [ {
    "SPDXID" : "7",
    "name" : "json-schema-validator"
  }],
  "relationships" : [ {
    "spdxElementId" : "7",
    "relationshipType" : "TEST_CASE_OF",
    "relatedSpdxElement" : "0"
  }]
}

is currently successfully parsed and when written has the following output:

{
  "spdxVersion":"SPDX-2.3",
  "dataLicense":"CC0-1.0",
  "SPDXID":"SPDXRef-DOCUMENT",
  "name":"tools-java",
  "documentNamespace":"test",
  "creationInfo":{
    "licenseListVersion":"3.21",
    "creators":["Person: Gary O'Neall","Tool: spdx-maven-plugin"],
    "created":"2023-07-18T12:27:48Z"
  },
  "packages":[{
    "name":"json-schema-validator",
    "SPDXID":"SPDXRef-7",
    "downloadLocation":"",
    "filesAnalyzed":true
  }],
  "relationships":[{
     "spdxElementId":"SPDXRef-7",
     "relatedSpdxElement":"SPDXRef-0",
     "relationshipType":"TEST_CASE_OF"
    },{
     "spdxElementId":"SPDXRef-DOCUMENT",
     "relatedSpdxElement":"SPDXRef-8",
     "relationshipType":"DESCRIBES"
  }]
}

#269 is the likely cause of this issue as it adjusted the parsing of IDs to be more tolerant of incorrectly formatted IDs.

Note, this came up as some of the sbom-conformance projects tests started failing as the input was parsed successfully (which was unexpected): google/sbom-conformance#70

[kzantow]

Hey @awyeth, generally speaking I think this library should be as lenient as possible and today there are already quite a lot of validations which are not likely to be implemented for SPDX 2, so I'm hesitant to restore this behavior. There's a particular issue that it looks like this library may have been outputting incorrect documents SPDX IDs, so there are likely to be cases where the change to correct the document IDs will result in documents that appeared valid before now failing to parse, which I assume could be a problem for a number of users since there may not be the opportunity to recreate these SBOMs. If this is critical behavior for you, I wouldn't be opposed to add some validation and/or some optional strict parsing though I don't have time to do this myself at the moment. Happy to hear any suggestions!

[lumjjb]

If i under correctly.. it does look like the check was in place a version ago (https://github.com/spdx/tools-golang/pull/269/files#diff-015ea2e1c59d51e6006f7be0fafae5e95f4af242c6112350d88fecd9a38aa24aL51-R83), so this would be a restoration of that check? Was that check causing issues?

My opinion is that if the check did not cause issues, the check will be helpful in improving the sbom quality bar.

[kzantow]

Ok, looking more closely at the changes, I don't think the invalid documents I was potentially concerned with would be impacted by restoring this functionality. I'd be happy to accept a PR 😄

[awyeth]

Excellent, I will send one your way!

Thank you!

[awyeth]

Thank you both for the quick review!